000026855 - How to configure SNMP traps in RSA NetWitness NextGen and RSA Security Analytics

Follow the instructions below to configure SNMP traps for the appliance.  The examples provided are for a Decoder but apply the same to Concentrators and Brokers. 

The screenshots also depict the RSA NetWitness Administrator thick client, but is comparable to the Explore view in RSA Security Analytics.

RSA NetWitness NextGen 9.6, 9.7 and 9.8:
1.  Open NetWitness Administrator
2.  Connect to your appliance's Decoder service
3.  Open the Decoder service in explorer view by right clicking on it and clicking 'Explorer'

4.  Navigate to /logs/config/log.snmp.agent.  Enter the IP address of your SNMP trap receiver into the right-hand column.

5.  SNMP traps can be generated when an integer statistic reaches a low or high-watermark.  Locate a statistic that you would like to alert on in explorer view.  Take for instance /decoder/stats/capture.dropped.percent.  You will see both a 'Low' and a 'High' column next to the statistic.  If you wish to alert when the dropped packet percentage exceeds 5%, double-click on the 'High' column and enter the number 5.  Now, if the Decoder's dropped percentage rate exceeds 5%, it will send an SNMP trap.

Another example: to alert when the capture rate drops below a certain threshold, say 50 mbps, set the 'Low' value for /decoder/stats/capture.rate to 50.

6.  To alert when a text statistic changes, i.e. /decoder/stats/capture.started, enter the state you would like to alert on in the 'Low' field.  For instance, if you would like to alert when capture is in a stopped state, type 'stopped' into the 'Low' field.  

RSA Security Analytics:
1.  Log in to the RSA Security Analytics user interface.
2.  From Administration -> Services, open the decoder service in "Explore" view as shown below.
3.  Navigate to /logs/config/log.snmp.agent.  Enter the IP address of your SNMP trap receiver into the right-hand column.
4.  SNMP traps can be generated when an integer statistic reaches a low or high threshold or a string statistic changes its status.  Locate a statistic that you would like to alert on in Explore view.  Take for instance /decoder/stats/capture.dropped.percent.  If you wish to alert when the dropped packet percentage exceeds 5%, right click on capture.dropped.percent and select "Properties". From the dropdown menu, select "setLimit" then enter "high=5" without the quotes in the Parameters field and click on the Send button. You can confirm the current value by selecting "getLimit" from the menu.  Now, if the Decoder's dropped percentage rate exceeds 5%, it will send an SNMP trap.
Similarly, to alert when a string statistic changes, i.e. /decoder/stats/capture.started, enter the state you would like to alert on in the 'low' parameter.  For instance, if you would like to alert when capture is in a stopped state, "setLimit" to "low=stopped". 

If you are unsure of any of the steps above or experience any issues, contact RSA Support and quote this article ID for further assistance.