000026855 - How to configure SNMP traps in RSA NetWitness NextGen and RSA Security Analytics

Document created by RSA Customer Support Employee on Jan 11, 2017Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000026855
Applies ToRSA Product Set: NetWitness Logs and Packets, NetWitness NextGen (Legacy), Security Analytics
RSA Version/Condition: 9.6.x and above
IssueHow to configure SNMP traps in RSA NetWitness NextGen and RSA Security Analytics.
Once the SNMP agent has been enabled, following the instructions in the knowledgebase article How to enable SNMP in RSA NetWitness NextGen 9.6 and above or in RSA Security Analytics, how do I configure it to send SNMP traps?
Resolution

Follow the instructions below to configure SNMP traps for the appliance.  The examples provided are for a Decoder but apply the same to Concentrators and Brokers. 


The screenshots also depict the RSA NetWitness Administrator thick client, but is comparable to the Explore view in RSA Security Analytics.

RSA NetWitness NextGen 9.6, 9.7 and 9.8:
1.  Open NetWitness Administrator
2.  Connect to your appliance's Decoder service
3.  Open the Decoder service in explorer view by right clicking on it and clicking 'Explorer'


4.  Navigate to /logs/config/log.snmp.agent.  Enter the IP address of your SNMP trap receiver into the right-hand column.


5.  SNMP traps can be generated when an integer statistic reaches a low or high-watermark.  Locate a statistic that you would like to alert on in explorer view.  Take for instance /decoder/stats/capture.dropped.percent.  You will see both a 'Low' and a 'High' column next to the statistic.  If you wish to alert when the dropped packet percentage exceeds 5%, double-click on the 'High' column and enter the number 5.  Now, if the Decoder's dropped percentage rate exceeds 5%, it will send an SNMP trap.


Another example: to alert when the capture rate drops below a certain threshold, say 50 mbps, set the 'Low' value for /decoder/stats/capture.rate to 50.


6.  To alert when a text statistic changes, i.e. /decoder/stats/capture.started, enter the state you would like to alert on in the 'Low' field.  For instance, if you would like to alert when capture is in a stopped state, type 'stopped' into the 'Low' field.  

RSA Security Analytics:
1.  Log in to the RSA Security Analytics user interface.
2.  From Administration -> Services, open the decoder service in "Explore" view as shown below.
3.  Navigate to /logs/config/log.snmp.agent.  Enter the IP address of your SNMP trap receiver into the right-hand column.
4.  SNMP traps can be generated when an integer statistic reaches a low or high threshold or a string statistic changes its status.  Locate a statistic that you would like to alert on in Explore view.  Take for instance /decoder/stats/capture.dropped.percent.  If you wish to alert when the dropped packet percentage exceeds 5%, right click on capture.dropped.percent and select "Properties". From the dropdown menu, select "setLimit" then enter "high=5" without the quotes in the Parameters field and click on the Send button. You can confirm the current value by selecting "getLimit" from the menu.  Now, if the Decoder's dropped percentage rate exceeds 5%, it will send an SNMP trap.
Similarly, to alert when a string statistic changes, i.e. /decoder/stats/capture.started, enter the state you would like to alert on in the 'low' parameter.  For instance, if you would like to alert when capture is in a stopped state, "setLimit" to "low=stopped". 



If you are unsure of any of the steps above or experience any issues, contact RSA Support and quote this article ID for further assistance.

NotesNote 1:  As of version 9.6.5.6, there is no capability to customize the SNMP community string for traps.
Note 2:  SNMP trap messages are sent via UDP port 162.  This cannot be customized.
Note 3:  As of version 9.6.5.6, string comparisons are only capable of equality logic, but not inequality, meaning that it cannot be configured to alert when capture.started does NOT equal 'started'.  Inequality logic functionality may be added in a future NextGen release.
Legacy Article IDa58872

Attachments

    Outcomes