Testing:
A common method for testing SNMP is to perform an snmpwalk. It is part of the net-snmp-utils package.
To test the base MIB-II MIB, issue the command below.
snmpwalk -v2c -Of -c netwitness 127.0.0.1
To test the NetWitness-specific MIB, issue the command below.
snmpwalk -v2c -Of -c netwitness 127.0.0.1 .1.3.6.1.4.1.36807
Tip #1:
To display human-readable text instead of numeric OIDs, follow the steps below.
- Download the NETWITNESS-MIB.txt that is attached to this article. (For Security Analytics, also download the NETWITNESS-IPMI-MIB.txt file.)
- Copy the MIB file(s) to the appliance.
- Issue the command below.
snmpwalk -v2c -Of -c netwitness -m "./NETWITNESS-MIB.txt" 127.0.0.1 .1.3.6.1.4.1.36807
- To utilize SNMP for the IPMI data, download the nwsnmp.py and nw-ipmi-stats.py scripts that are attached to this article and follow the installation instructions under IPMI Monitoring in the /etc/snmp/snmpd.conf file.
Note: The NetWitness SNMP OID is .1.3.6.1.4.1.36807. If you get no results under this OID but do get results under MIB-II (i.e. using snmpwalk with no OID specified) then you likely must restart your Appliance and the respective service (i.e. nwdecoder | nwlogdecoder | nwconcentrator | nwbroker) to allow the SNMP service to connect to agentx.
SNMP sends data in the form of objects and each object is inherited to the main tree. Each line of snmpwalk has an address, which shows where each line belongs. Some of them are data, and some of them are data formats (such integer, string, etc). For example, to find the software version on a concentrator, you can run following commands:
[root@nwadmin1 snmp]# snmpwalk -v 2c -Of -c netwitness 127.0.0.1 .1.3.6.1.4.1.36807 | grep .27 .iso.org.dod.internet.private.enterprises.36807.1.3.1.1.1.27 = INTEGER: 27 .iso.org.dod.internet.private.enterprises.36807.1.3.1.1.2.27 = STRING: "/logs/stats/total" .iso.org.dod.internet.private.enterprises.36807.1.3.1.1.3.9 = STRING: "270837b2-60ac-474c-9417-5f2ed55ec1bd" .iso.org.dod.internet.private.enterprises.36807.1.3.1.1.3.25 = STRING: "2779" .iso.org.dod.internet.private.enterprises.36807.1.3.1.1.3.27 = STRING: "2779" .iso.org.dod.internet.private.enterprises.36807.1.4.1.1.1.27 = INTEGER: 27 .iso.org.dod.internet.private.enterprises.36807.1.4.1.1.2.27 = STRING: "/sys/stats/version" .iso.org.dod.internet.private.enterprises.36807.1.4.1.1.3.27 = STRING: "11.3.0.0"
[root ~]# snmpwalk -v2c -Of -c netwitness 127.0.0.1 .1.3.6.1.4.1.36807 | grep .88 .iso.org.dod.internet.private.enterprises.36807.1.2.1.1.1.88 = INTEGER: 88 .iso.org.dod.internet.private.enterprises.36807.1.2.1.1.2.88 = STRING: "/sys/stats/version" .iso.org.dod.internet.private.enterprises.36807.1.2.1.1.3.88 = STRING: "9.6.5.12"
[root ~]# snmpwalk -v2c -Of -c netwitness -m "./NETWITNESS-MIB.txt" 127.0.0.1 .1.3.6.1.4.1.36807 | grep .88 .iso.org.dod.internet.private.enterprises.netwitness.nwProducts.nwConcentrator.nwConcentratorNodes.nwConcentratorNodeInfo.nwConcentratorNodeIndex.88 = INTEGER: 88 .iso.org.dod.internet.private.enterprises.netwitness.nwProducts.nwConcentrator.nwConcentratorNodes.nwConcentratorNodeInfo.nwConcentratorNodePath.88 = STRING: "/sys/stats/version" .iso.org.dod.internet.private.enterprises.netwitness.nwProducts.nwConcentrator.nwConcentratorNodes.nwConcentratorNodeInfo.nwConcentratorNodeValue.88 = STRING: "9.6.5.12"
Tip #2: Send the trap request from another device. Have two ssh putty sessions. Issue a 'tcpdump' command in one session and issue the snmpwalk in the other ssh session. [root-decoder ~]# tcpdump -i any port 161 [root-concentrator ~]# snmpwalk -v2c -Of -c netwitness -m "./NETWITNESS-MIB.txt" <IP address of decoder> .1.3.6.1.4.1.36807
|