000037066 - How to configure SNMP at the host level on an RSA NetWitness Platform 11.x appliance

Document created by RSA Customer Support Employee on Jan 14, 2019
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000037066
Applies ToRSA Product Set: NetWitness Logs & Network
RSA Product/Service Type: Core Appliance
RSA Version/Condition: 11.x
Platform: CentOS 7
IssueI need to know how to enable SNMP at the host level in my RSA NetWitness Logs & Network 11.x environment.
ResolutionFollow the steps below to enable SNMP at the host level:
  1. Ensure that the net-snmp package is installed on your system. If you are running CentOS 7, it will already be installed.

    # rpm -qa|grep net-snmp

  2. Edit the /etc/snmp/snmpd.conf file and add the following line.

    This is an example for SA server host including Broker service.
    The only difference among other hosts is a process monitoring definition below. 
    ex) In case of Concentrator host, you need to use "proc NwConcentrator" instead of "proc NwBroker".
          In case of Packet Decoder host, you need to use "proc NwDecoder" instead of "proc NwBroker".
          In case of Log Decoder host, you need to use "proc NwLogDecoder" instead of "proc NwBroker".




    #----------------------------------------------------------------------- 
    # Agentx Protocol 
    # Enable agentx protocol for Security Analytics appliance service; 
    # requires opening UDP port 161 in the firewall configuration. 
    #----------------------------------------------------------------------- 

    master agentx 

    #----------------------------------------------------------------------- 
    # SNMPv1/SNMPv2c Read-Only Community 
    # Usage: rocommunity community_name [restricted hostname|IPaddress|network/bits] [allowed OID]
    # The default behavior is to allow connections from any host to all OIDs 

    #----------------------------------------------------------------------- 

    rocommunity netwitness 

    # process monitoring definitions, usage: 
    # proc process_name maximum_running minimum_running 
    proc NwAppliance 1 1 
    proc NwBroker 1 1 


    # disk space monitoring definition, usage: 
    # disk mount_point minimum_kb | minimum_percentage% 
    #disk / 10% 
    #disk /tmp 10% 
    #disk /var 10% 
    disk /var/netwitness 10% 
    #disk /var/netwitness/broker 10% 

    # swap space monitoring definition, usage: 
    # swap MIN kb 
    swap 1258291

  3. Add UDP Port 161 in your CentOS 7 firewall rule if necessary. Refer to the article entitled How to add custom firewall rules after nwsetup-tui has completed in RSA NetWitness Logs & Network 11.x for steps on adding a custom firewall rule in CentOS 7.
     
  4. Enable the SNMP service using the commands below.

    # systemctl enable snmpd 
    Created symlink from /etc/systemd/system/multi-user.target.wants/snmpd.service to /usr/lib/systemd/system/snmpd.service. 
    # systemctl start snmpd

  5. Restart the appliance and nwdecoder | nwlogdecoder | nwconcentrator | nwbroker services in order for the service to register with snmpd when it comes back up. 

    # systemctl restart nwdecoder | nwlogdecoder | nwconcentrator | nwbroker | nwappliance


After performing the steps above, SNMP objects should now be accessible on the RSA NetWitness appliances from remote devices.
NotesThis is an update for existing article entitled How to enable SNMP in RSA NetWitness NextGen 9.6 and above or in RSA Security Analytics.

Testing:
A common method for testing SNMP is to perform an snmpwalk. It is part of the net-snmp-utils package.
You can see that base MIB and netwitness-specific MIB query are working fine with following commands. 

# snmpwalk -v2c -Of -c netwitness 127.0.0.1 
# snmpwalk -v2c -Of -c netwitness 127.0.0.1 .1.3.6.1.4.1.36807


You can also check swap, disk usage and process using the commands below.

# snmpwalk -v2c -Of -c netwitness 127.0.0.1 .1.3.6.1.4.1.2021|grep -i swap 
.iso.org.dod.internet.private.enterprises.ucdavis.memory.memErrorName.0 = STRING: swap 
.iso.org.dod.internet.private.enterprises.ucdavis.memory.memTotalSwap.0 = INTEGER: 4194300 kB 
.iso.org.dod.internet.private.enterprises.ucdavis.memory.memAvailSwap.0 = INTEGER: 4194300 kB 
.iso.org.dod.internet.private.enterprises.ucdavis.memory.memMinimumSwap.0 = INTEGER: 1258291 kB 
.iso.org.dod.internet.private.enterprises.ucdavis.memory.memSwapError.0 = INTEGER: noError(0) 
.iso.org.dod.internet.private.enterprises.ucdavis.memory.memSwapErrorMsg.0 = STRING: 
.iso.org.dod.internet.private.enterprises.ucdavis.systemStats.ssRawSwapIn.0 = Counter32: 0 
.iso.org.dod.internet.private.enterprises.ucdavis.systemStats.ssRawSwapOut.0 = Counter32: 0



# snmpwalk -v2c -Of -c netwitness 127.0.0.1 .1.3.6.1.4.1.2021.9 
.iso.org.dod.internet.private.enterprises.ucdavis.dskTable.dskEntry.dskIndex.1 = INTEGER: 1 
.iso.org.dod.internet.private.enterprises.ucdavis.dskTable.dskEntry.dskPath.1 = STRING: /var/netwitness 
.iso.org.dod.internet.private.enterprises.ucdavis.dskTable.dskEntry.dskDevice.1 = STRING: /dev/mapper/netwitness_vg00-nwhome 
.iso.org.dod.internet.private.enterprises.ucdavis.dskTable.dskEntry.dskMinimum.1 = INTEGER: -1 
.iso.org.dod.internet.private.enterprises.ucdavis.dskTable.dskEntry.dskMinPercent.1 = INTEGER: 10 
.iso.org.dod.internet.private.enterprises.ucdavis.dskTable.dskEntry.dskTotal.1 = INTEGER: 466282036 
.iso.org.dod.internet.private.enterprises.ucdavis.dskTable.dskEntry.dskAvail.1 = INTEGER: 442960528 
.iso.org.dod.internet.private.enterprises.ucdavis.dskTable.dskEntry.dskUsed.1 = INTEGER: 23321508 
.iso.org.dod.internet.private.enterprises.ucdavis.dskTable.dskEntry.dskPercent.1 = INTEGER: 5 
.iso.org.dod.internet.private.enterprises.ucdavis.dskTable.dskEntry.dskPercentNode.1 = INTEGER: 0
.iso.org.dod.internet.private.enterprises.ucdavis.dskTable.dskEntry.dskTotalLow.1 = Gauge32: 466282036 
.iso.org.dod.internet.private.enterprises.ucdavis.dskTable.dskEntry.dskTotalHigh.1 = Gauge32: 0 
.iso.org.dod.internet.private.enterprises.ucdavis.dskTable.dskEntry.dskAvailLow.1 = Gauge32: 442960528 
.iso.org.dod.internet.private.enterprises.ucdavis.dskTable.dskEntry.dskAvailHigh.1 = Gauge32: 0 
.iso.org.dod.internet.private.enterprises.ucdavis.dskTable.dskEntry.dskUsedLow.1 = Gauge32: 23321508 
.iso.org.dod.internet.private.enterprises.ucdavis.dskTable.dskEntry.dskUsedHigh.1 = Gauge32: 0 
.iso.org.dod.internet.private.enterprises.ucdavis.dskTable.dskEntry.dskErrorFlag.1 = INTEGER: noError(0) 
.iso.org.dod.internet.private.enterprises.ucdavis.dskTable.dskEntry.dskErrorMsg.1 = STRING:



# snmpwalk -v2c -Of -c netwitness 127.0.0.1 .1.3.6.1.4.1.2021.2 
.iso.org.dod.internet.private.enterprises.ucdavis.prTable.prEntry.prIndex.1 = INTEGER: 1 
.iso.org.dod.internet.private.enterprises.ucdavis.prTable.prEntry.prIndex.2 = INTEGER: 2 
.iso.org.dod.internet.private.enterprises.ucdavis.prTable.prEntry.prNames.1 = STRING: NwAppliance
.iso.org.dod.internet.private.enterprises.ucdavis.prTable.prEntry.prNames.2 = STRING: NwBroker 
.iso.org.dod.internet.private.enterprises.ucdavis.prTable.prEntry.prMin.1 = INTEGER: 1 
.iso.org.dod.internet.private.enterprises.ucdavis.prTable.prEntry.prMin.2 = INTEGER: 1 
.iso.org.dod.internet.private.enterprises.ucdavis.prTable.prEntry.prMax.1 = INTEGER: 1 
.iso.org.dod.internet.private.enterprises.ucdavis.prTable.prEntry.prMax.2 = INTEGER: 1 
.iso.org.dod.internet.private.enterprises.ucdavis.prTable.prEntry.prCount.1 = INTEGER: 1 
.iso.org.dod.internet.private.enterprises.ucdavis.prTable.prEntry.prCount.2 = INTEGER: 1 
.iso.org.dod.internet.private.enterprises.ucdavis.prTable.prEntry.prErrorFlag.1 = INTEGER: noError(0) 
.iso.org.dod.internet.private.enterprises.ucdavis.prTable.prEntry.prErrorFlag.2 = INTEGER: noError(0) 
.iso.org.dod.internet.private.enterprises.ucdavis.prTable.prEntry.prErrMessage.1 = STRING: 
.iso.org.dod.internet.private.enterprises.ucdavis.prTable.prEntry.prErrMessage.2 = STRING: 
.iso.org.dod.internet.private.enterprises.ucdavis.prTable.prEntry.prErrFix.1 = INTEGER: noError(0) 
.iso.org.dod.internet.private.enterprises.ucdavis.prTable.prEntry.prErrFix.2 = INTEGER: noError(0) 
.iso.org.dod.internet.private.enterprises.ucdavis.prTable.prEntry.prErrFixCmd.1 = STRING: 
.iso.org.dod.internet.private.enterprises.ucdavis.prTable.prEntry.prErrFixCmd.2 = STRING: 




# systemctl stop nwbroker <-- stop nwbroker service for the test



# snmpwalk -v2c -Of -c netwitness 127.0.0.1 .1.3.6.1.4.1.2021.2 
.iso.org.dod.internet.private.enterprises.ucdavis.prTable.prEntry.prIndex.1 = INTEGER: 1 
.iso.org.dod.internet.private.enterprises.ucdavis.prTable.prEntry.prIndex.2 = INTEGER: 2 
.iso.org.dod.internet.private.enterprises.ucdavis.prTable.prEntry.prNames.1 = STRING: NwAppliance
.iso.org.dod.internet.private.enterprises.ucdavis.prTable.prEntry.prNames.2 = STRING: NwBroker 
.iso.org.dod.internet.private.enterprises.ucdavis.prTable.prEntry.prMin.1 = INTEGER: 1 
.iso.org.dod.internet.private.enterprises.ucdavis.prTable.prEntry.prMin.2 = INTEGER: 1 
.iso.org.dod.internet.private.enterprises.ucdavis.prTable.prEntry.prMax.1 = INTEGER: 1 
.iso.org.dod.internet.private.enterprises.ucdavis.prTable.prEntry.prMax.2 = INTEGER: 1 
.iso.org.dod.internet.private.enterprises.ucdavis.prTable.prEntry.prCount.1 = INTEGER: 1 
.iso.org.dod.internet.private.enterprises.ucdavis.prTable.prEntry.prCount.2 = INTEGER: 0 
.iso.org.dod.internet.private.enterprises.ucdavis.prTable.prEntry.prErrorFlag.1 = INTEGER: noError(0) 
.iso.org.dod.internet.private.enterprises.ucdavis.prTable.prEntry.prErrorFlag.2 = INTEGER: error(1) 
.iso.org.dod.internet.private.enterprises.ucdavis.prTable.prEntry.prErrMessage.1 = STRING: 
.iso.org.dod.internet.private.enterprises.ucdavis.prTable.prEntry.prErrMessage.2 = STRING: No NwBroker process running 
.iso.org.dod.internet.private.enterprises.ucdavis.prTable.prEntry.prErrFix.1 = INTEGER: noError(0) 
.iso.org.dod.internet.private.enterprises.ucdavis.prTable.prEntry.prErrFix.2 = INTEGER: noError(0) 
.iso.org.dod.internet.private.enterprises.ucdavis.prTable.prEntry.prErrFixCmd.1 = STRING: 
.iso.org.dod.internet.private.enterprises.ucdavis.prTable.prEntry.prErrFixCmd.2 = STRING:

Attachments

    Outcomes