NetWitness Community

Anonymous · ‎2014-03-31

Has anyone been able to successfully get snmp v3 traps sent to SA? We are seeing them in a TCPDUMP come into SA but it does not seem to do anything with them, we have setup the snmptrap service on the log collector and enabled the user.

RSAAdmin · ‎2014-04-01

Hi,

I have v2 configured and I'm planning to have some v3 however I've just noticed that there is a second config page for v3:

https://sadocs.emc.com/0_en-us/095_10.3_User_Guide/13_Device_and_Service_Configuration/Log_Collector_Configuration_Guide…

Must be a new 10.3 (and possibly SP2) feature as I've not seen it before. Sorry if I'm pointing out the obvious

Anonymous · ‎2014-04-01

I had added the user there with the proper config but I still don't see it in the logs. Do you know what they should look like? I might just not be looking in the right places, I search by the device.ip and only see the normal logs.

RSAAdmin · ‎2014-04-03

Within investigation? There is nothing majorly different about where the events appear... My advice would be to check via rest on the collector for SNMP to check the stats. See if anything is coming in under that collection mechanism.

Also, I think I remember adding a line into iptables for snmp originally... maybe check there too.

-A INPUT -p udp -m udp --dport 161 -j ACCEPT

maybe also tail the snmpd and tail /var/log/messages.

Hope this helps.

huanzhou1 · ‎2014-04-03

i have below trap sent to SA which i can view from invetigation:

20:56:53.587353 IP SA103SP1.58374 > SA103SP1.snmptrap: F= U=v3snmpuser E= 0x800x000x8F0xC70x800x0C0x220x1F0x600x850x4C0x3D0x530x000x000x000x00 C= V2Trap(140) system.sysUpTime.0=26677922 S:1.1.4.1.0=E:36807.2.1 E:36807.3.1.0="/concentrator/stats/meta.rate" E:36807.3.2.0="0" E:36807.3.3.0="1"

Anonymous · ‎2014-05-15

Somebody can help me parse SNMP trap? I never do it before and not understand what I do make. Sample SNMP traps:

%TRAP [device_addr=10.10.0.189] [device_addr=10.10.0.189] [.1.3.6.1.2.1.1.3.0=0:0:00:00.00] [.1.3.6.1.6.3.1.1.4.1.0=.1.3.6.1.4.1.34849.105.1.0.33570821] [.1.3.6.1.4.1.34849.105.1.1.0=2] [.1.3.6.1.4.1.34849.105.1.2.0=16] [.1.3.6.1.4.1.34849.105.1.3.0=32] [.1.3.6.1.4.1.34849.105.1.4.0="VGATE2"] [.1.3.6.1.4.1.34849.105.1.5.0="14.05.2014 12:35:06"] [.1.3.6.1.6.3.18.1.3.0=10.10.0.189] [.1.3.6.1.6.3.18.1.4.0="public"] [.1.3.6.1.6.3.1.1.4.3.0=.1.3.6.1.4.1.34849.105.1]

%TRAP [device_addr=10.10.0.189] [device_addr=10.10.0.189] [.1.3.6.1.2.1.1.3.0=0:0:00:00.00] [.1.3.6.1.6.3.1.1.4.1.0=.1.3.6.1.4.1.34849.105.1.0.16785410] [.1.3.6.1.4.1.34849.105.1.1.0=1] [.1.3.6.1.4.1.34849.105.1.2.0=8] [.1.3.6.1.4.1.34849.105.1.3.0=64] [.1.3.6.1.4.1.34849.105.1.4.0="VGATE2"] [.1.3.6.1.4.1.34849.105.1.5.0="14.05.2014 12:52:18"] [.1.3.6.1.4.1.34849.105.1.6.0="admin@VGATE2"] [.1.3.6.1.4.1.34849.105.1.7.0="127.0.0.1"] [.1.3.6.1.6.3.18.1.3.0=10.10.0.189] [.1.3.6.1.6.3.18.1.4.0="public"] [.1.3.6.1.6.3.1.1.4.3.0=.1.3.6.1.4.1.34849.105.1]

%TRAP [device_addr=10.10.0.189] [device_addr=10.10.0.189] [.1.3.6.1.2.1.1.3.0=0:0:00:00.00] [.1.3.6.1.6.3.1.1.4.1.0=.1.3.6.1.4.1.34849.105.1.0.16842758] [.1.3.6.1.4.1.34849.105.1.1.0=1] [.1.3.6.1.4.1.34849.105.1.2.0=64] [.1.3.6.1.4.1.34849.105.1.3.0=64] [.1.3.6.1.4.1.34849.105.1.4.0="VGATE2"] [.1.3.6.1.4.1.34849.105.1.5.0="14.05.2014 16:55:23"] [.1.3.6.1.4.1.34849.105.1.6.0="53 4E 4D 50 20 D0 BC D0 BE D0 BD D0 B8 D1 82 D0

huanzhou1 · ‎2014-05-15

check see if any existing parser or not, if have, then enable, if don't have then need to create custom parser. check the ESI document.

Anonymous · ‎2014-05-19

What you mean? I have some cfg in this location:

/etc/netwitness/ng/logcollection/content/transform/snmptrap

But in location /etc/netwitness/ng/logcollection/content/collection/snmptrap I have only empty sample of snmptrap.xml.

huanzhou1 · ‎2014-05-20

normally you need to NMS(Network management system) to read the trap as it will use the MIB to interpret the message.

Anonymous · ‎2014-05-20

I have mib file for this system. Can I use mib file in SA?

NetWitness Community

SNMP Traps