Submit a ticketCall us

Don’t fall victim to a ransomware attack
Backups are helpful, but sometimes that’s not enough to protect your business against ransomware. At our live webcast we will discuss how to protect against ransomware attacks with SolarWinds® Patch Manager and how to leverage log data to detect ransomware. Register now for our live webcast.

Home > Success Center > Kiwi Syslog Server > Kiwi Syslog Server Administrator Guide > Configure input options > Configure SNMP trap input options

Configure SNMP trap input options

Table of contents
No headers

Use the following options to enable Kiwi Syslog Server to listen for version 1, 2c, and 3 SNMP traps. The traps are decoded and then handled like syslog messages.

  1. Choose File > Setup to open the Kiwi Syslog Server Setup dialog box.
  2. Expand the Inputs node.
  3. Click SNMP.
  4. Specify the following options:

    Listen for SNMP Traps

    Select this option to enable Kiwi Syslog Server to receive SNMP traps.

    Add/Remove SNMP v3 Credentials

    SNMP v3 adds security and remote configuration enhancements. To process SNMP v3 traps, click this button and enter credential details:

    • User name: User name that is specified in the device. It must be a unique value.
    • Authentication Password and Algorithm: Authentication from the valid source is focused using Authentication password and Algorithm which is ether MD5 or SHA.
    • Private Password and Algorithm: The data encryption for privacy is performed using the private password and algorithm which is either AES or DES/3DES.
    • Security Level: Security level follows any of the communication mechanism shown below:

      • No security: no authentication and no encryption for users.
      • Authentication only: authentication without any encryption of the data sent.
      • Authentication and Privacy: with authentication and encryption of data.
    UDP Port

    Specify the UDP port that listens for SNMP traps. IPv4 Traps are usually sent to port 162 and IPv6 traps are sent to port 163. A value between 1 to 65535 can be entered here. If you choose a value other than 162 or 163, make sure the device sending the trap is also sending to the specified port.

    Port number shouldn't be the same for IPv4 and IPv6 in receiving SNMP traps.

    Bind to address

    By default, the SNMP trap receiver will listen for messages on all connected interfaces. If you want to limit the binding to a single specific interface, you can specify the IP address in the Bind to address field. Otherwise, leave this field blank. (If the Bind to address field is left blank, it will listen on all interfaces. This is the best option in most cases.)

    For example, if you have two non routed interfaces on the computer, 192.168.1.1 and 192.168.2.1, then you can choose to bind to only the 192.168.1.1 interface. This will ignore any syslog messages sent to the other interface.

    Variable Binding

    SNMP traps can be bound into custom fields. Below are the SNMP fields that can be assigned to custom variables such as Custom1, Custom2... Custom16.

    For example:

    In the Send SNMP trap action, click Insert message content or counter to select custom variables.

    Specified fields

    This option allows you to choose which SNMP fields are decoded and added to the incoming message. Check the box next to the field that you want enabled. You can change the order in which the message is decoded by clicking and dragging on the field name.

    Community

    This is like a password that is included in the trap message. Normally this value is set to values such as "public", "private" or "monitor".

    SNMP Community strings are used only by devices which support SNMPv1 and SNMPv2 protocol. SNMPv3 uses username/password authentication, along with an encryption key.

    Enterprise This is a dotted numerical value (1.3.6.1.x.x.x.x) that represents the MIB enterprise of the SNMP trap. This field only applies for version 1 traps. Version 2 and 3 traps have the Enterprise value bound as the second variable in the message.
    Uptime This is a value that represents the system uptime of the device sending the message. The value is in time ticks. The value resets to 0 when the device restarts. A low value would indicate that the device has been warm or cold started recently. This field only applies to version 1 traps. Version 2 traps have the system uptime value bound as the first variable in the message.
    Agent address This represents the IP address of the sending device.
    Trap type

    This check box represents three trap type fields. Generic Type and Specific Trap-Type and Specific Trap-Name. These fields only applies for version 1 traps. There are 6 defined Generic Type traps. If the Generic Type is set to 6 it indicates an Enterprise type trap. In this case the Specific Trap value needs to be considered.

    Version This field indicates the version of the received trap. The program currently supports version 1 and 2c and 3.
    Message This field is made up of all the bound variables. Some traps may include more than a single variable binding. If the variable is an Octet String type, then it will be visible as plain text. Some variables represent counters or integer values. In this case, it is advisable to check the value against the MIB syntax for further explanation.
    Syslog priority to use Each SNMP message that is received is converted internally into a standard syslog message. This allows you to filter the message like a standard syslog message. Because SNMP traps don't have a message facility and level, a default value must be applied. You can then use this value in the rule engine. For example, you might like to set all traps to be tagged as Local0.Debug. You can then create a priority filter to catch that facility and level and perform a specified action.
    SNMP field tagging

    This drop down list allows you to specify how the decoded fields are converted into a message. By default, the "fieldname=value" option is used. This allows for easy parsing of the logs later. Other options are XML, comma delimited or delimited by [].

    Here is an example of a message tagged with the fieldname=value option:

    community=public enterprise=1.3.6.1.2.1.1.1 enterprise_mib_name=sysDescr uptime=15161 agent_ip=192.168.0.1 generic_num=6 specific_num=0 version=Ver1 generic_name="Enterprise specific" var_count=01 var01_oid=1.3.6.1.2.1.1.1 var01_value="This is a test message from Kiwi Syslog Server" var01_mib_name=sysDescr

    The values are only contained in quotes ("") if they contain a space.

    Use LinkSys Display filter

    The LinkSys Display filter simply removes all PPP messages from being displayed. The PPP messages are still logged to file as normal.

    This feature is only useful if you are logging from a LinkSys network device.

    Perform MIB lookups

    A well-known list of object ID values and their text names have been included in a database that is included with the program. This will handle the most common traps from Cisco, 3Com, Allied Telesyn, SonicWall, Nokia, Checkpoint, BreezeCom, Nortel and SNMP MIB-II.

    The MIB database file is located in the InstallPath\MIBs folder in a file named: KiwiMIBDB.dat

    This database is a propriatry database file which has been compiled from over 60,000 MIB definitions. Since most MIB files only contain less than 5% of usable trap information, this pre-compiled method saves a huge amount of lookup time, disk space and hash table memory over using a standard MIB compiler/parser.

    If you would like to add additional MIB lookup values, please contact SolarWinds Support. Send your zipped MIB files, and also include your Unknown_OID_list.txt file so we can ensure all the OIDs are referenced.

    When creating the MIB database, all the traps, notifications and referenced variables are parsed from the MIB files. Sometimes an object may not be referenced correctly and therefore won't be added. In this case, all we need to know is the OID value and we can ensure that it is included.

    Log failed lookups to debug file

    If an OID value is unable to be located in the database, if you have the "log failed lookups" option checked, the OID value will be logged to a debug file. The file is located in InstallPath\MIBs and is named: Unknown_OID_list.txt.

    Show additional OID suffix info

    Sometimes a device will send additional information encoded after the main OID number. This information can include things like the interface index, source and destination addresses and port numbers etc. This information can be shown as a suffix to the MIB name.

    For example, a Cisco switch might send a "Link up" trap containing the variable: 1.3.6.1.2.1.2.2.1.2.3.

    The last "3" of the OID refers to the interface index. The rest of the OID can be resolved to the MIB name of "ifDescr".

    If the "Show additional OID suffix info" option is checked, then the MIB name displayed will contain the extra ".3" information. For example: ifDescr.3=SlowEthernet0/3. With the option unchecked, the display will look like: ifDescr=SlowEthernet0/3.

  5. Click Apply to save your changes.
Last modified
13:48, 2 Mar 2017

Tags

Classifications

Public