000026697 - How to enable SNMP in RSA NetWitness NextGen 9.6 and above or in RSA Security Analytics

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Jul 28, 2017
Version 10Show Document
  • View in full screen mode

Article Content

Article Number000026697
Applies ToRSA Product Set: Security Analytics, NetWitness
RSA Product/Service Type: Core Appliances
RSA Version/Condition: Security Analytics 10.x; NetWitness NextGen 9.6.x, 9.7.x, 9.8.x,10.x
Platform: CentOS, Fedora Core
Platform (Other): SNMP
O/S Version: FC9, EL5, EL6
IssueHow to enable SNMP in RSA NetWitness NextGen 9.6 and above or in RSA Security Analytics.
Resolution

RSA NetWitness NextGen 9.6 introduced limited SNMP/MIB functionality, which is also present in RSA Security Analytics.  
To enable SNMP functionality on your 9.6|9.7|9.8 NextGen or Security Analytics 10.x appliance, please do the following:
 


1.  Ensure that the net-snmp package is installed on your system.  If you are running CentOS (all Security Analytics 10.x appliances run on CentOS), it will already be installed. 


  • You can confirm that the package is present with the following command: rpm -qa | grep net-snmp
    • If the package is not installed and if your appliance has internet access and has DNS configured in /etc/resolv.conf, you can simply install it with this command:  yum install net-snmp
    • Enter y when asked to install dependencies.
  • If the package is not installed and if your appliance does not have internet access, 
    • For Fedora 9, download the three Fedora Core 9 RPM files attached to this solution.  Transfer them to your appliance and install them with the command below.
       
      rpm -ivh lm_sensors-3.0.1-5.fc9.x86_64.rpm net-snmp-libs-5.4.1-14.fc9.x86_64.rpm net-snmp-5.4.1-14.fc9.x86_64.rpm

       
    • For CentOS 5, download the four CentOS 5 RPM files attached to this solution. Scp them to you appliance and install them with the command below.
       
      rpm -ivh lm_sensors-2.10.7-9.el5.x86_64.rpm net-snmp-libs-5.3.2.2-14.el5.x86_64.rpm net-snmp-5.3.2.2-14.el5.x86_64.rpm net-snmp-utils-5.3.2.2-14.el5.x86_64.rpm

       

2. Edit the /etc/snmp/snmpd.conf file and uncomment from the following line: #master agentx 


  • If this file /etc/snmp/snmpd.conf not exist, download this file: nwsnmpconfig-2015.09.10.sh script that is attached to this article, transfer it to your appliance, and run it.  You may first have to make it executable with the following command:                     chmod +x nwsnmpconfig.sh
  • If you do have /etc/snmp/snmp.conf but it is not the netwitness-customized version (the second line of the file will be # sample netwitness snmpd.conf file), you may need to run the nwsnmpconfig-2015.09.10.sh script on the appliance per the bullet point above. Please be certain to backup the previous /etc/snmp/snmpd.conf. Test using snmpwalk before replacing the file. 
  • If the file is netwitness-customized but is missing the #master agentx line, add master agentx immediately after the line beginning with the following: #agentaddress 192.168.1.1

3. Follow the appropriate step below based on your operating system.  Issue the following command to confirm which operating system you are running:  cat /etc/redhat-release


  • CentOS:
    • Edit /etc/sysconfig/iptables and insert the line below before the following line:  -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
       
      -A INPUT -p udp -m udp --dport 161 -j ACCEPT

       
  • Fedora Core 9:
    • Edit /etc/sysconfig/iptables and insert the line below before the following line: -A INPUT -j REJECT --reject-with icmp-host-prohibited
       
      -A INPUT -p udp -m udp --dport 161 -j ACCEPT

       


4. Issue the following commands:


  • mkdir /var/agentx (Fedora Core 9 Only)
  • chkconfig snmpd on
  • service iptables restart
  • service snmpd start


5. Restart the appliance and nwdecoder | nwlogdecoder | nwconcentrator | nwbroker services in order for the service to register with snmpd when it comes back up.
After performing the steps ablove, SNMP objects should now be accessible on the NextGen or Security Analytics appliances from remote devices.


 


For steps on configuring SNMP traps for RSA NetWitness and RSA Security Analytics appliances, refer to the knowledgebase article How to configure SNMP traps in RSA NetWitness NextGen and RSA Security Analytics.

NotesTesting:

A common method for testing SNMP is to perform an snmpwalk.  It is part of the net-snmp-utils package.



To test the base MIB-II MIB, issue the command below.


snmpwalk -v2c -Of -c netwitness 127.0.0.1

To test the NetWitness-specific MIB, issue the command below.


snmpwalk -v2c -Of -c netwitness 127.0.0.1 .1.3.6.1.4.1.36807

 Tip:

To display human readable text instead of numeric OIDs, follow the steps below.


  1. Download the NETWITNESS-MIB.txt that is attached to this article.  (For Security Analytics, also download the NETWITNESS-IPMI-MIB.txt file.)
  2. Copy the MIB file(s) to the appliance.
  3. Issue the command below.
    snmpwalk -v2c -Of -c netwitness -m "./NETWITNESS-MIB.txt" 127.0.0.1 .1.3.6.1.4.1.36807

  4. To utilize SNMP for the IPMI data, download the nwsnmp.py and nw-ipmi-stats.py scripts that are attached to this article and follow the installation instructions under IPMI Monitoring in the /etc/snmp/snmpd.conf file.
  Note:  The NetWitness SNMP OID is .1.3.6.1.4.1.36807.  If you get no results under this OID but do get results under MIB-II (i.e. using snmpwalk with no OID specified) then you likely must restart your Appliance and the respective service (i.e. nwdecoder | nwlogdecoder | nwconcentrator | nwbroker) to allow the SNMP service to connect to agentx.

SNMP sends data in the form of objects and each object is inherited to the main tree. Each line of snmpwalk has an address, which shows where each line belongs.
Some of them are data, and some of them are data formats (such integer, string, etc). For example, to find the software version on a concentrator, you can run following commands:


[root ~]# snmpwalk -v 2c -Of -c netwitness 127.0.0.1 .1.3.6.1.4.1.36807 | grep -i version
.iso.org.dod.internet.private.enterprises.36807.1.2.1.1.2.88 = STRING: "/sys/stats/version"
[root ~]# snmpwalk -v2c -Of -c netwitness 127.0.0.1 .1.3.6.1.4.1.36807 | grep .88
.iso.org.dod.internet.private.enterprises.36807.1.2.1.1.1.88 = INTEGER: 88
.iso.org.dod.internet.private.enterprises.36807.1.2.1.1.2.88 = STRING: "/sys/stats/version"
.iso.org.dod.internet.private.enterprises.36807.1.2.1.1.3.88 = STRING: "9.6.5.12"
[root ~]# snmpwalk -v2c -Of -c netwitness -m "./NETWITNESS-MIB.txt" 127.0.0.1 .1.3.6.1.4.1.36807 | grep .88
.iso.org.dod.internet.private.enterprises.netwitness.nwProducts.nwConcentrator.nwConcentratorNodes.nwConcentratorNodeInfo.nwConcentratorNodeIndex.88 = INTEGER: 88
.iso.org.dod.internet.private.enterprises.netwitness.nwProducts.nwConcentrator.nwConcentratorNodes.nwConcentratorNodeInfo.nwConcentratorNodePath.88 = STRING: "/sys/stats/version"
.iso.org.dod.internet.private.enterprises.netwitness.nwProducts.nwConcentrator.nwConcentratorNodes.nwConcentratorNodeInfo.nwConcentratorNodeValue.88 = STRING: "9.6.5.12"

Tip 2...Send the trap request from another device. Have two ssh putty sessions. Issue a 'tcpdump' command in one session and issue the snmpwalk in the other ssh session. 
[root-decoder ~]#  tcpdump -i any port 161
[root-concentrator ~]# snmpwalk -v2c -Of -c netwitness -m "./NETWITNESS-MIB.txt" <IP address of decoder> .1.3.6.1.4.1.36807 
 


RPM Files:


lm_sensors-3.0.1-5.fc9x86_64.rpmlm_sensors-2.10.7-9.el5.x86_64.rpm


net-snmp-5.3.2.2-14.el5.x86_64.rpm


net-snmp-5.4.1-14.fc9.x86_64.rpm


net-snmp-libs-5.3.2.2-14.el5.x86_64.rpm


net-snmp-libs-5.4.1-14.fc9.x86_64.rpm


net-snmp-utils-5.3.2.2-14.el5.x86_64.rpm


net-snmp-utils-5.4.1-14.fc9.x86_64.rpm

Legacy Article IDa59776

Outcomes