000026855 - How to configure SNMP traps in RSA NetWitness Platform

Document created by RSA Customer Support Employee on Jan 11, 2017Last modified by RSA Customer Support on Oct 1, 2019
Version 3Show Document
  • View in full screen mode

Article Content

Article Number000026855
Applies ToRSA Product Set: NetWitness Platform
RSA Product/Service Type: Decoder
RSA Version/Condition: 10.6.x, 11.x
IssueHow to configure SNMP traps in RSA NetWitness.
Once the SNMP agent has been enabled, following the instructions in the KB article How to enable SNMP in OS on RSA NetWitness, how do I configure it to send SNMP traps?

Follow the instructions below to configure SNMP traps for the appliance. The examples provided are for a Decoder but apply the same to Concentrators and Brokers. 

  1. Log in to the RSA NetWitness UI.
  2. 2.  For 10.6.x, navigate to Administration > Services > Decoder > Explore

         For 11.x, navigate to ADMIN > Services > Decoder > Explore

  3. Navigate to /logs/config/log.snmp.agent.  Enter the IP address of your SNMP trap receiver into the right-hand column.
  4. SNMP traps can be generated when an integer statistic reaches a low or high threshold or a string statistic changes its status. 
Locate a statistic that you would like to alert on in Explore view.  Take for instance /decoder/stats/capture.dropped.percent
If you wish to alert when the dropped packet percentage exceeds 5%, right click on capture.dropped.percent and select "Properties".
From the drop-down menu below, select "setLimit" then enter "high=5" without the quotes in the Parameters field and click on the Send button.
You can confirm the current value by selecting "getLimit" from the menu. 
Now, if the Decoder's dropped percentage rate exceeds 5%, it will send an SNMP trap.

Similarly, to alert when a string statistic changes, i.e. /decoder/stats/capture.started, enter the state you would like to alert on in the 'low' parameter.  For instance, if you would like to alert when capture is in a stopped state, "setLimit" to "low=stopped". 


If you are unsure of any of the steps above or experience any issues, contact RSA Support and quote this article ID for further assistance.

Legacy Article IDa58872