Skip to content
  • There are no suggestions because the search field is empty.

NetWitness SNMPv3 configuration On Hosts for Monitoring by a Network Management Software

Applies To-1

Product Set: NetWitness Platform
Product/Service Type: Core Appliances
Version: 11.x, 12.x
O/S Version : CentOS EL7

 

Subject of Article

How to configure SNMP on a NetWitness host, create an SNMPv3 user, and run a SNMPWalk to test the SNMP functionality.

 

Required Steps

You can follow the steps below to enable SNMP, create SNMPv3 user and run an SNMPWalk to test on an NW Hosts.
 

  1. If this file /etc/snmp/snmpd.conf does not exist, download script the nwsnmpconfig-2015.09.10.sh which is attached to this article. Transfer it to the appliance, and run the script.

    If /etc/snmp/snmpd.conf exists but is not the netwitness-customized version, you will need to transfer the script to the appliance.

    Note: The /etc/snmp/snmpd.conf will be netwitness-customized when the second line of the file is #Sample Security Analytics snmpd.conf file.
    1. Run the command to add the execute permissions to the file
      # chmod +x nwsnmpconfig-2015.09.10.sh
    2. Execute the script 
      ./nwsnmpconfig-2015.09.10.sh
  2. Verify iptables for SNMP access and that the customer is allowing it on any other internal firewall. This is required for SNMP to work. (Reference How to Write Iptable Rules in NetWitness Platform 11.x)
    1. List out the current rules with line numbers in Iptables 
      # iptables -L --line-numbers
    2. Save the current Iptables configuration 
      # service iptables save
    3. Take a backup of the current Iptables configuration 
      # cp /etc/sysconfig/iptables/etc/sysconfig/iptables.backup.$(date + "%Y%m%d_%H%M")
    4. Take note of the line number for the final Input Chain DROP because we'll need to input the allow rules before the DROP line 
      # iptables -L --line-numbers | grep DROP
      Output 
      Chain INPUT (policy DROP)
      23 DROP all -- anywhere anywhere
      Chain FORWARD (policy DROP)
      1 DROP all -- anywhere anywhere

       

    5. dd the new iptables logic to allow for SNMP traffic.
      Note: In this example we are adding the lines before line 23, which is the final INPUT Chain DROP 
      # iptables -l INPUT 22 -p udp -m state -state NEW -m udp --dport 161 -J ACCEPT
      # iptables -l INPUT 22 -p udp -m state -state NEW -m udp --dport 162 -j ACCEPT
  3. Save and restart the Iptables if it was modified. If not modified, skip this step.
    1. Initiate an Iptables save 
      # service iptables save
    2. Restart the Iptables service to read in all saved changes 
      # systemctl restart iptables
    3. Verify that all Iptables changes are active 
      # iptables -L --line-numbers | grep -i snmp
      Output
      22 ACCEPT udp -- anywhere anywhere state NEW udp dpt:snmptrap
      23 ACCPET udp -- anywhere anywhere state NEW udp dpt:snmp

  4. Stop the snmpd service if it is running 
    # systemctl stop snmpd
  5. Configure snmpd to start at boot 
    # chkconfig snmpd on

     

  6. Create a new SNMP v3 user account
    Note: -A sets the authentication password (<AuthPaswd>), and -a sets the authentication encryption type (SHA1). -X sets the traffic encryption password (<TrafPaswd>) and -x sets the encryption type for the traffic (AES). The-a and -x can be changed as needed by the environment.

    Full Access user creation 
    # net-snmp-create-v3-user -A <AuthPaswd> -a SHA -X <TrafPaswd> -x AES <username>
    Read Only user creation
    # net-snmp-create-v3-user -ro - A <AuthPaswd> -a SHA -X <TafPaswd> -x AES <username>
    Output - Full Access user
    adding the following line to /var/lib/net-snmp/snmpd.conf:
       createUser <username> SHA "<AuthPaswd>" AES <TrafPaswd>

    adding the following line to /etc/snmp/snmpd.conf:
        rwuser <username>

    Output - Read Only access user
    adding the following line to /var/lib/net-snmp/snmpd.conf
       createUser <username> SHA "<AuthPaswd>" AES <TrafPaswd>

    adding the following line to /etc/snmp/snmpd.conf:
       rouser <username>

     

  7. Open  /etc/snmp/snmpd.conf and uncomment "master agentx"
    # vi /etc/snmp/snmpd.conf

    # master agentx
  8. Check the created users under "Process Monitoring" in /etc/snmp/snmpd.conf

    Full Access user
     
       rwuser <username>

    Read Only user 
       rouser <username>
  9. Restart the snmpd service
    # systemctl start snmpd

  10. Restart the core NetWitness services on the host being configured.
    Note: Stop capture (decoders) and/or aggregation (concentrators/archivers) before restarting the appropriate service

    Example Restarts 
    # systemctl restart nwappliance
    # systemctl restart nwdecoder
    # systemctl restart nwconcentrator

     

  11. Once the services have been restarted, utilize snmpwalk to confirm SNMP is responding as expected. 
    # snmpwalk-v3-a SHA -A <AuthPaswd> -u <username> -x AES -X <TrafPaswd> -m "/var/snmp/mibs/NETWITNESS-MIB.txt" -l authNoPriv localhost .1.3.6.1.4.1.36807


    Output
    NETWITNESS-MIB::nwDecoderNodeIndex.0 = INTEGER: 0 
    NETWITNESS-MIB::nwDecoderNodeIndex.1 = INTEGER: 1 
    NETWITNESS-MIB::nwDecoderNodeIndex.2 = INTEGER: 2 
    NETWITNESS-MIB::nwDecoderNodeIndex.3 = INTEGER: 3 
    NETWITNESS-MIB::nwDecoderNodeIndex.4 = INTEGER: 4 
    NETWITNESS-MIB::nwDecoderNodeIndex.5 = INTEGER: 5 
    NETWITNESS-MIB::nwDecoderNodeIndex.6 = INTEGER: 6 
    NETWITNESS-MIB::nwDecoderNodeIndex.7 = INTEGER: 7 
    NETWITNESS-MIB::nwDecoderNodeIndex.8 = INTEGER: 8 
    NETWITNESS-MIB::nwDecoderNodeIndex.9 = INTEGER: 9 
    NETWITNESS-MIB::nwDecoderNodeIndex.10 = INTEGER: 10 
    NETWITNESS-MIB::nwDecoderNodeIndex.11 = INTEGER: 11
    ...
Additional Information

Enable SNMP on NW Host via System>Host Tasks.

Host GS: Hosts and Services Maintenance Procedures


Article to Configure SNMP on NW Hosts
How to enable SNMP in OS on NetWitness Platform

Using SNMP Traps
You can monitor a NetWitness Platform component to proactively send alerts, using Simple Network Management Protocol (SNMP) that is based on thresholds or system failures.

You can monitor the following for NetWitness Platform components:
  • CPU utilization that reaches a defined threshold
  • Memory utilization that reaches a defined threshold
  • Disk utilization that reaches a defined threshold


SNMP Configuration
NetWitness Servers can be configured to send out SNMPv3 threshold traps and monitor traps. Threshold traps are sent in conjunction with node thresholds that are configured by the NetWitness Platform Core applications. Monitor traps are sent by the SNMP daemon for the items that are indicated in the SNMP configuration file. You must set up the SNMP daemon on another service to receive SNMP traps from NetWitness Platform. You can set up SNMP on NetWitness Platform in the configuration setting for the NetWitness Server. For more information, see "Service Configuration Settings" in the NetWitness Platform Host and Services Getting Started Guide for a specific type of host.

Using SNMP with Health and Wellness
Monitor Health and Wellness Using SNMP Alerts

Setting up SNMP traps in NetWitness
How to configure SNMP traps in NetWitness Platform

Setting up Iptable rules in NetWitness
How to write iptable rules in NetWitness Platform appliances

System Logging Configurations (Parameters for SNMPV3)
Host GS: Core Service Logging Configuration