This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
NetWitness Knowledge Base
Find answers to your questions and identify resolutions for known issues with knowledge base articles written by NetWitness experts.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- NetWitness Community
- Knowledge Base
- NetWitness SNMPv3 configuration On Hosts for Monitoring by a Network Management Software
-
Options
- Subscribe to RSS Feed
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
NetWitness SNMPv3 configuration On Hosts for Monitoring by a Network Management Software
Article Number
000003178
Applies To
NetWitness Product Set: NetWitness Platform
NetWitness Product/Service Type: Core Appliances
NetWitness Version/Condition: 11.x, 12.x
O/S Version : CentOS EL7
NetWitness Product/Service Type: Core Appliances
NetWitness Version/Condition: 11.x, 12.x
O/S Version : CentOS EL7
Issue
How to configure SNMP on NetWitness Hosts, create an SNMPv3 user and run an SNMPWalk to test the SNMP functionality.
Resolution
You can follow the steps below to enable SNMP, create SNMPv3 user and run an SNMPWalk to test on an NW Hosts.
- If this file /etc/snmp/snmpd.conf does not exist, download this script: nwsnmpconfig-2015.09.10.sh which is attached to this article, transfer it to your appliance, and run it.
If /etc/snmp/snmpd.conf exists but it is not the netwitness-customized version, you need to transfer the script to your appliance and run it.
Note: The /etc/snmp/snmpd.conf will be netwitness-customized when the second line of the file is: #Sample Security Analytics snmpd.conf file.
Note: The /etc/snmp/snmpd.conf will be netwitness-customized when the second line of the file is: #Sample Security Analytics snmpd.conf file.
A) Run this command to add execute permissions to the file
#chmod +x nwsnmpconfig-2015.09.10.sh B) Execute the script:
./nwsnmpconfig-2015.09.10.sh- Verify iptables for SNMP access and that the customer is allowing it on any other internal firewall. This is required for SNMP to work. (You may reference : https://community.netwitness.com/t5/netwitness-knowledge-base/how-to-write-iptable-rules-in-netwitness-platform-11-x/ta-p/677538)
A) Iptables: To list out the rules with line numbers:
#iptables -L --line-numbers Save the current iptables configuration:
#service iptables saveB) Take a backup of the current iptables configuration:
#cp /etc/sysconfig/iptables /etc/sysconfig/iptables.backup.$(date +"%Y%m%d_%H%M")C) Take note of the line number for the final Input Chain DROP, because we'll need to input the allow rules before that line:
#iptables -L --line-numbers | grep DROP
Chain INPUT (policy DROP)
23 DROP all -- anywhere anywhere
Chain FORWARD (policy DROP)
1 DROP all -- anywhere anywhere
D) Add the new iptables logic to allow for SNMP Traffic.
Note: In my example I am adding them before line 23, which is my final Input Chain DROP, so line 22
#iptables -I INPUT 22 -p udp -m state --state NEW -m udp --dport 161 -j ACCEPT
#iptables -I INPUT 22 -p udp -m state --state NEW -m udp --dport 162 -j ACCEPT
- Save & Restart iptables if modified.
A) Save iptables:
#service iptables saveB) Restart iptables
#service iptables restartC) Verify the changes:
#iptables -L --line-numbers | grep -i snmp
22 ACCEPT udp -- anywhere anywhere state NEW udp dpt:snmptrap
23 ACCEPT udp -- anywhere anywhere state NEW udp dpt:snmp
- Stop snmpd if the service is running.
#service snmpd status
#service snmpd stop
- Configure snmpd to start at boot and start snmpd service:
#chkconfig snmpd on
- Create a new SNMP v3 user account (-A sets authentication password, -X encryption password). On the second example, SHA1 is used for the authentication and AES for the encryption of the traffic. You may change the algorithms if needed.
Example:
Note: When it runs successfully, the following output will be returned:
#net-snmp-create-v3-user -A snmppassword -X snmppassword -x AES -a SHA snmpadmin
#net-snmp-create-v3-user -ro -A snmppassword -X snmppassword -x AES -a SHA snmpadminNote: When it runs successfully, the following output will be returned:
adding the following line to /var/lib/net-snmp/snmpd.conf:
createUser snmpadmin SHA "snmppassword" AES snmppassword
adding the following line to /etc/snmp/snmpd.conf:
rwuser snmpadmin
Sample creating user with '-ro' option:
adding the following line to /var/lib/net-snmp/snmpd.conf:
createUser snmpadmin2 SHA "snmppassword" AES snmppassword
adding the following line to /etc/snmp/snmpd.conf:
rouser snmpadmin2
- Open /etc/snmp/snmpd.conf and uncomment "master agentx":
#vi /etc/snmp/snmpd.conf- Check the created users under "Process Monitoring" in /etc/snmp/snmpd.conf:
If "net-snmp-create-v3-user -A snmppassword -X snmppassword -x AES -a SHA snmpadmin" command was used in step 6, ensure the entry under "Process Monitoring" in the snmpd.conf file matches "rwuser snmpadmin"
If "net-snmp-create-v3-user -ro -A snmppassword -X snmppassword -x AES -a SHA snmpadmin" command was used in step 6, ensure the entry under "Process Monitoring" in the snmpd.conf file matches "rouser snmpadmin"
#vi /etc/snmp/snmpd.conf
- Start snmpd.
#service snmpd start- Restart Core services on the host being configured (stop capture or aggregation before restart). e.g. 'restart nwappliance', 'restart nwdecoder', 'restart nwconcentrator'...,
#systemctl restart nwappliance
#systemctl restart nwdecoder
#systemctl restart nwconcentrator- Run snmpwalk to confirm:
#snmpwalk -v3 -a SHA -A snmppassword -u snmpadmin -x AES -X snmppassword -m "/var/snmp/mibs/NETWITNESS-MIB.txt" -l authNoPriv localhost .1.3.6.1.4.1.36807Sample output:
#snmpwalk -v3 -a SHA -A snmppassword -u snmpadmin -x AES -X snmppassword -m "/var/snmp/mibs/NETWITNESS-MIB.txt" -l authNoPriv localhost .1.3.6.1.4.1.36807
NETWITNESS-MIB::nwDecoderNodeIndex.0 = INTEGER: 0
NETWITNESS-MIB::nwDecoderNodeIndex.1 = INTEGER: 1
NETWITNESS-MIB::nwDecoderNodeIndex.2 = INTEGER: 2
NETWITNESS-MIB::nwDecoderNodeIndex.3 = INTEGER: 3
NETWITNESS-MIB::nwDecoderNodeIndex.4 = INTEGER: 4
NETWITNESS-MIB::nwDecoderNodeIndex.5 = INTEGER: 5
NETWITNESS-MIB::nwDecoderNodeIndex.6 = INTEGER: 6
NETWITNESS-MIB::nwDecoderNodeIndex.7 = INTEGER: 7
NETWITNESS-MIB::nwDecoderNodeIndex.8 = INTEGER: 8
NETWITNESS-MIB::nwDecoderNodeIndex.9 = INTEGER: 9
NETWITNESS-MIB::nwDecoderNodeIndex.10 = INTEGER: 10
NETWITNESS-MIB::nwDecoderNodeIndex.11 = INTEGER: 11
...
...
--------Notes
--------Other Useful Links to Reference for SNMP Configurations on NetWitness Hosts--------
Enable SNMP on NW Host via System>Host Tasks.
Host GS: Hosts and Services Maintenance Procedures -- https://community.netwitness.com/t5/netwitness-platform-online/hosts-and-services-maintenance-procedures/ta-p/668920
--
Article to Configure SNMP on NW Hosts
KB 26697: How to enable SNMP in OS on NetWitness Platform -- https://community.netwitness.com/t5/netwitness-knowledge-base/how-to-enable-snmp-in-os-on-netwitness-platform/ta-p/677284
---
Using SNMP Traps
You can monitor a NetWitness Platform component to proactively send alerts, using Simple Network Management Protocol (SNMP) that is based on thresholds or system failures.
You can monitor the following for NetWitness Platform components:
SNMP Configuration:
NetWitness Servers can be configured to send out SNMPv3 threshold traps and monitor traps. Threshold traps are sent in conjunction with node thresholds that are configured by the NetWitness Platform Core applications. Monitor traps are sent by the SNMP daemon for the items that are indicated in the SNMP configuration file. You must set up the SNMP daemon on another service to receive SNMP traps from NetWitness Platform. You can set up SNMP on NetWitness Platform in the configuration setting for the NetWitness Server. For more information, see "Service Configuration Settings" in the NetWitness Platform Host and Services Getting Started Guide for a specific type of host.
Sys Maintenance: Monitor Health and Wellness Using SNMP Alerts -- https://community.netwitness.com/t5/netwitness-platform-online/monitor-health-and-wellness-using-snmp-alerts/ta-p/669775
KB 26697: How to configure SNMP traps in RSA NetWitness Platform -- https://community.netwitness.com/t5/netwitness-knowledge-base/how-to-configure-snmp-traps-in-rsa-netwitness-platform/ta-p/677314
--
How to add FW rules for ports 161 and port 162 for SNMP to work on NW Hosts
KB Article 37864: How to write iptable rules in NetWitness Platform appliances -- https://community.netwitness.com/t5/netwitness-knowledge-base/how-to-write-iptable-rules-in-netwitness-platform-11-x/ta-p/677538
----------------------
System Logging Configurations (Parameters for SNMPV3)
Host GS: Core Service Logging Configuration -- https://community.netwitness.com/t5/netwitness-platform-online/core-service-logging-configuration-parameters/ta-p/668949
Enable SNMP on NW Host via System>Host Tasks.
Host GS: Hosts and Services Maintenance Procedures -- https://community.netwitness.com/t5/netwitness-platform-online/hosts-and-services-maintenance-procedures/ta-p/668920
--
Article to Configure SNMP on NW Hosts
KB 26697: How to enable SNMP in OS on NetWitness Platform -- https://community.netwitness.com/t5/netwitness-knowledge-base/how-to-enable-snmp-in-os-on-netwitness-platform/ta-p/677284
---
Using SNMP Traps
You can monitor a NetWitness Platform component to proactively send alerts, using Simple Network Management Protocol (SNMP) that is based on thresholds or system failures.
You can monitor the following for NetWitness Platform components:
- CPU utilization that reaches a defined threshold
- Memory utilization that reaches a defined threshold
- Disk utilization that reaches a defined threshold
SNMP Configuration:
NetWitness Servers can be configured to send out SNMPv3 threshold traps and monitor traps. Threshold traps are sent in conjunction with node thresholds that are configured by the NetWitness Platform Core applications. Monitor traps are sent by the SNMP daemon for the items that are indicated in the SNMP configuration file. You must set up the SNMP daemon on another service to receive SNMP traps from NetWitness Platform. You can set up SNMP on NetWitness Platform in the configuration setting for the NetWitness Server. For more information, see "Service Configuration Settings" in the NetWitness Platform Host and Services Getting Started Guide for a specific type of host.
Sys Maintenance: Monitor Health and Wellness Using SNMP Alerts -- https://community.netwitness.com/t5/netwitness-platform-online/monitor-health-and-wellness-using-snmp-alerts/ta-p/669775
KB 26697: How to configure SNMP traps in RSA NetWitness Platform -- https://community.netwitness.com/t5/netwitness-knowledge-base/how-to-configure-snmp-traps-in-rsa-netwitness-platform/ta-p/677314
--
How to add FW rules for ports 161 and port 162 for SNMP to work on NW Hosts
KB Article 37864: How to write iptable rules in NetWitness Platform appliances -- https://community.netwitness.com/t5/netwitness-knowledge-base/how-to-write-iptable-rules-in-netwitness-platform-11-x/ta-p/677538
----------------------
System Logging Configurations (Parameters for SNMPV3)
Host GS: Core Service Logging Configuration -- https://community.netwitness.com/t5/netwitness-platform-online/core-service-logging-configuration-parameters/ta-p/668949
No ratings
