This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

How to recognize snmp traffic from a linux server?

Go to solution
VishamRawat
Beginner
Beginner

‎2018-08-22 11:32 AM

How would I know that particular events are snmp traps sent from a Linux server, as opposed to the regular logs being sent from the server to RSA SA?

I believe I've configured everything proper for snmp traps to be sent to and received by RSA SA, and want to verify if they're registering or not.

Is there a particular metakey that'll immediately help identify if the traffic is a snmp trap?

0 Likes
1 ACCEPTED SOLUTION

Accepted Solutions

Go to solution
VishamRawat
Beginner
Beginner
In response to ArjunKothapalli

‎2018-09-12 07:40 AM

command tailf /var/log/messages |grep -i snmp

NwLogCollector[22071]: [SnmpTrapCollection] [info] TID: 22285 - Got 1 buffered traps

Yes, got this - only thing is it doesn't tell from which device the trap was received.

Have to painstakingly figure that out from the console manually - a problem when the trap is being mapped to a different device type, or falls under unknown along with several other syslog messages for that device.

Anyhow, thanks!

View solution in original post

0 Likes
3 REPLIES 3

Go to solution
ArjunKothapalli
Beginner
Beginner

‎2018-08-22 11:58 AM

you can login to log collector and very if you are receiving snmp traps or not by using below command.

tailf /var/log/messages |grep -i snmp

The sample output should be like below.

NwLogCollector[22071]: [SnmpTrapCollection] [info] TID: 22285 - Got 1 buffered traps

Go to solution
VishamRawat
Beginner
Beginner
In response to ArjunKothapalli

‎2018-08-31 11:48 AM

Hi Arjun,

 

I ran the command tailf /var/log/messages |grep -i snmp, and I get something to this effect -

Aug 31 15:46:00 Collector snmpd[1900]: Connection from UDP: [DeviceIP]:57495->[CollectorIP]

But I see no snmp traps from this device; what does it say here? merely a connection that's available but inactive?

0 Likes

Go to solution
VishamRawat
Beginner
Beginner
In response to ArjunKothapalli

‎2018-09-12 07:40 AM

command tailf /var/log/messages |grep -i snmp

NwLogCollector[22071]: [SnmpTrapCollection] [info] TID: 22285 - Got 1 buffered traps

Yes, got this - only thing is it doesn't tell from which device the trap was received.

Have to painstakingly figure that out from the console manually - a problem when the trap is being mapped to a different device type, or falls under unknown along with several other syslog messages for that device.

Anyhow, thanks!

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.