SNMP Event Source Configuration Parameters

Document created by RSA Information Design and Development on Jul 23, 2016Last modified by RSA Information Design and Development on Sep 14, 2016
Version 4Show Document
  • View in full screen mode
 

This topic describes the Simple Network Management Protocol (SNMP) event source parameters.

Simple Network Management Protocol (SNMP) is a set of internet standards for management of network services. SNMP includes a protocol, a schema for defining data, and data sets known as Management Information Bases (MIBs). MIBs include Internet standards and standards specific to vendors/services. SNMP entities include agents and managers. Agents are managed services that instrument various MIBs and make the data available to managers. Managers can retrieve the data from the managed services. The managed services can also notify managers asynchronously through a trap.

There are three versions of SNMP in widespread use: version 1, version 2c and version 3. Version 3 includes security and access control features.

To access the SNMP Event Source Configuration Parameters:

  1. In the Security Analytics menu, select Administration > Services.
  2. In the Services grid, select a Log Collector service.
  3. Click AdvcdExpandBtn.PNG under Actions and select View > Config.
  4. In the Event Sources tab, select SNMP/Config from the drop-down menu.

SNMPEvSrcTb.png

Features

The SNMP/Config view in the Event Sources tab has two panels: Event Categories and Sources.

Event Categories Panel

In the Event Categories panel, you can add or delete SNMP event source types.

                 
FeatureDescription
Icon-Add.pngDisplays the Available Event Source Types dialog from which you select the event source type for which you want to define parameters.

Note: Security Analytics only supports a single event source, that is snmptrap, and adds snmptrap automatically when you add the event source type is added.

Icon_Delete_sm.pngDeletes the selected event source types from the Event Categories panel.
icon-edit.pngSelects event source types.
NameDisplays the name of the event source types that you have added.

Available Event Source Types Dialog

SNMP has a single event source type (category) called snmptrap. After you add snmptrap to the Event Categories panel, Security Analytics generates an event source called snmptrap to the Sources panel as well. Only a single event source is supported. You cannot add or delete it. Only the event source type (or category)  can be added or deleted.

                 
FeatureDescription
Checkbox.pngSelects the event source type that you want to add.
TypeDisplays the event source types that are available to add.
CancelCloses the dialog without adding an event source type.
OKAdds the selected event source type to the Event Categories panel.

Sources Panel

Use this panel to review, add, modify, and delete event sources and their parameters for the event source type you selected in Event Sources.

Toolbar

The following table provides descriptions of the toolbar options.

          
OptionDescription
icon-edit.pngOpens the Modify Source dialog in which you modify the configuration parameters for the selected event source.
When you select multiple event sources, opens the Bulk Edit Source dialog in which you can edit the parameters values for the selected event sources. 
After you save changes to the SNMP event source, Security Analytics prompts you to restart SNMP collection. When you restart SNMP collection, Security Analytics uses the changed parameter values
Checkbox.pngSelects event source type that you want to edit.

Edit Source Dialog

In this dialog, you add or modify an event source for the selected event source.

              
FeatureDescription
SNMP Source ParametersLists the parameters populated with the default values. Enter or modify the appropriate values.
CancelCloses the dialog without adding an event source or saving the parameter values for the selected event source.
OKIn the Add Sources dialog, adds the event source and its parameters. In the Modify Sources dialog, applies the parameter value changes for the selected event source.

SNMP Source Parameters

The following table provides descriptions of the SNMP source parameters.

                                        
OptionDescription
Basic
Name *The name of the SNMP source (for example, snmptrap).
Ports *The UDP and UDP/IPv6 port  numbers. A valid port number is any number within the 1 through 65535 range with 162 as the default port. You can enter multiple ports by separating each with a comma.

If you change this parameter, the change does not take effect until you restart collection or restart the Log Collector service.
Minimum v3 Security LevelThe minimum required security level in v3 traps received. Valid values are:
  • noAuthNoPriv - no authentication and no privacy.
  • authNoPriv - authentication but no privacy. Security Analytics ignores any traps with a security level of noAuthNoPriv.
  • authPriv - authentication and privacy. Security Analytics ignores any traps with a security level of noAuthNoPriv or authNoPriv.
Collect v1 TrapsSelect the check box to collect SNMP version 1 traps. The check box is selected by default. If you do not select this parameter, Security Analytics ignores SNMP v1 traps.
Collect v2c TrapsSelect the check box to collect SNMP version 2c traps. The check box is selected by default. If you do not select this parameter, Security Analytics ignores SNMP v2c traps.
Collect v3 TrapsSelect the check box to collect SNMP version 3 traps. The check box is selected by default. If you do not select this parameter, Security Analytics ignores SNMP v3 traps.
EnabledSelect the check box to enable the event source configuration to start collection. The check box is selected by default.
Community StringsComma separated list of community strings. This parameter contains no values by default.
  • no values specified - Security Analytics collects all SNMP traps.
  • values specified - if the community string in the received trap is not in the list specified, Security Analytics ignores the trap.
Advanced
Maximum receiversMaximum number of receiver resources in the 1 to 50 range.  The default value is conditional based on the SNMP type(category) and defaults to 2 for the snmp type.

If you change this parameter, the change does not take effect until you restart collection or restart the Log Collector service.
InFlight Publish Log ThresholdThe threshold value in published events at which Security Analytics creates an informational message.  Valid values are:
  • 0 = disable the message
  • 100-100000000 = published event threshold
Debug

Caution: Only enable debugging (set this parameter to "On" or "Verbose") if you have a problem with an event source and you need to investigate this problem. Enabling debugging will adversely affect the performance of the Log Collector.

Enables/disables debug logging for the event source.
Valid values are:
  • Off = (default) disabled
  • On = enabled
  • Verbose = enabled in verbose mode ‐ adds thread information and source context information to the messages.
This parameter is designed to debug and monitor isolated event source collection issues. The debug logging is verbose, so limit the number of event sources to minimize performance impact.
If you change this value, the change takes effect immediately (no restart required).
 
You are here: SNMP Collection Configuration Guide > References - SNMP Collection Configuration Parameters > SNMP Event Source Configuration Parameters

Attachments

    Outcomes