000026697 - How to enable SNMP in OS on RSA NetWitness

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support on Jul 10, 2019
Version 14Show Document
  • View in full screen mode

Article Content

Article Number000026697
Applies ToRSA Product Set: Security Analytics, NetWitness
RSA Product/Service Type: Core Appliances
RSA Version/Condition: NetWitness 10.x and 11.x
Platform: CentOS 
Platform (Other): SNMP
O/S Version: 6 and 7
IssueHow to enable SNMP in RSA NetWitness 10.x 
Resolution

The snmpd.conf file is read in on startup of the service. 



  1. Edit the /etc/snmp/snmpd.conf file and uncomment from the following line: #master agentx 

    • If this file /etc/snmp/snmpd.conf not exist, download this file: nwsnmpconfig-2015.09.10.sh script that is attached to this article, transfer it to your appliance, and run it.  You may first have to make it executable with the following command:                    

       

      chmod +x nwsnmpconfig.sh

       
    • If you do have /etc/snmp/snmp.conf but it is not the netwitness-customized version (the second line of the file will be # sample netwitness snmpd.conf file), you may need to run the nwsnmpconfig-2015.09.10.sh script on the appliance per the bullet point above. Please be certain to backup the previous /etc/snmp/snmpd.conf. Test using snmpwalk before replacing the file. 
    • If the file is netwitness-customized but is missing the #master agentx line, add master agentx immediately after the line beginning with the following: #agentaddress 192.168.1.1
  2. Follow the appropriate step below based on your operating system.  Issue the following command to confirm which operating system you are running:  

    cat /etc/redhat-release


    • CentOS: 
    • In Netwitness 11.x this document will need to be followed so that the firewall rules are not overwritten by Chef 
        http://https://community.rsa.com/docs/DOC-93651
    • In Netwitness 10.x puppet will overwrite firewall rules so the file below will need to be modified. In doing so it will open the port specified on all of the servers 
       
      • Modify this file in Netwitness 10  /etc/puppet/modules/appliance/manifests/init.pp
          
        •  firewall {'4 SNMP Port' :
                      dport       =>  [161],
                      proto       =>  udp,
                      action      =>  accept,
                  }
             
          • Edit /etc/sysconfig/iptables and insert the line below before the following line:  -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited

          •     

            iptables -A INPUT -p udp -m udp --dport 161 -j ACCEPT

                
             
          
       
  3. Issue the following commands:


  4. chkconfig snmpd on
    service iptables restart
    service snmpd start

  5. Restart the appliance and nwdecoder | nwlogdecoder | nwconcentrator | nwbroker services in order for the service to register with snmpd when it comes back up.

After performing the steps above, SNMP objects should now be accessible on the Netwitness or Security Analytics appliances from remote devices.

 



 



For steps on configuring SNMP traps for RSA NetWitness and RSA Security Analytics appliances, refer to the knowledge base article How to configure SNMP traps in RSA NetWitness NextGen and RSA Security Analytics.

NotesTesting:

A common method for testing SNMP is to perform an snmpwalk.  It is part of the net-snmp-utils package.




To test the base MIB-II MIB, issue the command below.




snmpwalk -v2c -Of -c netwitness 127.0.0.1


To test the NetWitness-specific MIB, issue the command below.




snmpwalk -v2c -Of -c netwitness 127.0.0.1 .1.3.6.1.4.1.36807

 Tip #1:

To display human-readable text instead of numeric OIDs, follow the steps below.



  1. Download the NETWITNESS-MIB.txt that is attached to this article.  (For Security Analytics, also download the NETWITNESS-IPMI-MIB.txt file.)
  2. Copy the MIB file(s) to the appliance.
  3. Issue the command below.

    snmpwalk -v2c -Of -c netwitness -m "./NETWITNESS-MIB.txt" 127.0.0.1 .1.3.6.1.4.1.36807

  4. To utilize SNMP for the IPMI data, download the nwsnmp.py and nw-ipmi-stats.py scripts that are attached to this article and follow the installation instructions under IPMI Monitoring in the /etc/snmp/snmpd.conf file.
  Note:  The NetWitness SNMP OID is .1.3.6.1.4.1.36807.  If you get no results under this OID but do get results under MIB-II (i.e. using snmpwalk with no OID specified) then you likely must restart your Appliance and the respective service (i.e. nwdecoder | nwlogdecoder | nwconcentrator | nwbroker) to allow the SNMP service to connect to agentx.

SNMP sends data in the form of objects and each object is inherited to the main tree. Each line of snmpwalk has an address, which shows where each line belongs.
Some of them are data, and some of them are data formats (such integer, string, etc). For example, to find the software version on a concentrator, you can run following commands:



[root@nwadmin1 snmp]# snmpwalk -v 2c -Of -c netwitness 127.0.0.1 .1.3.6.1.4.1.36807 | grep .27
.iso.org.dod.internet.private.enterprises.36807.1.3.1.1.1.27 = INTEGER: 27
.iso.org.dod.internet.private.enterprises.36807.1.3.1.1.2.27 = STRING: "/logs/stats/total"
.iso.org.dod.internet.private.enterprises.36807.1.3.1.1.3.9 = STRING: "270837b2-60ac-474c-9417-5f2ed55ec1bd"
.iso.org.dod.internet.private.enterprises.36807.1.3.1.1.3.25 = STRING: "2779"
.iso.org.dod.internet.private.enterprises.36807.1.3.1.1.3.27 = STRING: "2779"
.iso.org.dod.internet.private.enterprises.36807.1.4.1.1.1.27 = INTEGER: 27
.iso.org.dod.internet.private.enterprises.36807.1.4.1.1.2.27 = STRING: "/sys/stats/version"
.iso.org.dod.internet.private.enterprises.36807.1.4.1.1.3.27 = STRING: "11.3.0.0"



[root ~]# snmpwalk -v2c -Of -c netwitness 127.0.0.1 .1.3.6.1.4.1.36807 | grep .88
.iso.org.dod.internet.private.enterprises.36807.1.2.1.1.1.88 = INTEGER: 88
.iso.org.dod.internet.private.enterprises.36807.1.2.1.1.2.88 = STRING: "/sys/stats/version"
.iso.org.dod.internet.private.enterprises.36807.1.2.1.1.3.88 = STRING: "9.6.5.12"

[root ~]# snmpwalk -v2c -Of -c netwitness -m "./NETWITNESS-MIB.txt" 127.0.0.1 .1.3.6.1.4.1.36807 | grep .88
.iso.org.dod.internet.private.enterprises.netwitness.nwProducts.nwConcentrator.nwConcentratorNodes.nwConcentratorNodeInfo.nwConcentratorNodeIndex.88 = INTEGER: 88
.iso.org.dod.internet.private.enterprises.netwitness.nwProducts.nwConcentrator.nwConcentratorNodes.nwConcentratorNodeInfo.nwConcentratorNodePath.88 = STRING: "/sys/stats/version"
.iso.org.dod.internet.private.enterprises.netwitness.nwProducts.nwConcentrator.nwConcentratorNodes.nwConcentratorNodeInfo.nwConcentratorNodeValue.88 = STRING: "9.6.5.12"


Tip #2:
Send the trap request from another device. Have two ssh putty sessions. Issue a 'tcpdump' command in one session and issue the snmpwalk in the other ssh session. 

[root-decoder ~]#  tcpdump -i any port 161
[root-concentrator ~]# snmpwalk -v2c -Of -c netwitness -m "./NETWITNESS-MIB.txt" <IP address of decoder> .1.3.6.1.4.1.36807 



Legacy Article IDa59776

Outcomes