3 Replies Latest reply on Mar 7, 2016 5:33 AM by ravismallah

    Retrieving SNMP data from SIEM appliances.

    derick

      Hi All

       

      I am trying to retrieve SNMP data from the various SIEM appliances but I am not having much luck. As a test, I am trying to do a snmpwalk for OID = 1.3.6.1.4.1.23128.1.3 (as per the MIB) but I am not getting any data back.

       

      I can successfully retrieve SNMP data for a standard MIB like "IF-MIB" (OID = 1.3.6.1.2.1.2) - but not for OID's in the "NITROSECURITY-BASE-MIB".

       

      Below are the results of the above two tests.

       

      ===============

       

      ----------------------- New Test -----------------------

      Paessler SNMP Tester 5.1.3

      2014/11/12 02:21:40 PM (0 ms) : Device: 10.x.y.z

      2014/11/12 02:21:40 PM (1 ms) : SNMP V2c

      2014/11/12 02:21:40 PM (1 ms) : Walk 1.3.6.1.4.1.23128.1.3

       

       

      ----------------------- New Test -----------------------

      Paessler SNMP Tester 5.1.3

      2014/11/12 02:21:52 PM (1 ms) : Device: 10.x.y.z

      2014/11/12 02:21:52 PM (2 ms) : SNMP V2c

      2014/11/12 02:21:52 PM (2 ms) : Walk 1.3.6.1.2.1.2

      2014/11/12 02:21:52 PM (4 ms) : 1.3.6.1.2.1.2.1.0 = "5"

      2014/11/12 02:21:52 PM (6 ms) : 1.3.6.1.2.1.2.2.1.1.1 = "1"

      2014/11/12 02:21:52 PM (8 ms) : 1.3.6.1.2.1.2.2.1.1.2 = "2"

      2014/11/12 02:21:52 PM (11 ms) : 1.3.6.1.2.1.2.2.1.1.3 = "3"

      2014/11/12 02:21:52 PM (13 ms) : 1.3.6.1.2.1.2.2.1.1.4 = "4"

      2014/11/12 02:21:52 PM (17 ms) : 1.3.6.1.2.1.2.2.1.1.5 = "5"

      2014/11/12 02:21:52 PM (19 ms) : 1.3.6.1.2.1.2.2.1.2.1 = "lo"

      2014/11/12 02:21:52 PM (21 ms) : 1.3.6.1.2.1.2.2.1.2.2 = "eth0"

      2014/11/12 02:21:52 PM (24 ms) : 1.3.6.1.2.1.2.2.1.2.3 = "eth1"

      2014/11/12 02:21:52 PM (26 ms) : 1.3.6.1.2.1.2.2.1.2.4 = "eth2"

      2014/11/12 02:21:52 PM (28 ms) : 1.3.6.1.2.1.2.2.1.2.5 = "eth3"

      .....

       

      ===============

       

      I have added the SNMP monitoring station's IP address on all the appliances (ESM, REC, ELM, and ACE) that I am trying to retrieve data from. All appliances are running version 9.4.2-20141029 - but I had the same problem under 9.3.2.

       

      Below is the output from a SNMP test that was run against one receiver for a specific OID:

       

      ===============

       

      ----------------------- New Test -----------------------

      Paessler SNMP Tester 5.1.3

      2014/11/12 01:52:12 PM (0 ms) : Device: 10.x.y.z

      2014/11/12 01:52:12 PM (1 ms) : SNMP V1

      2014/11/12 01:52:12 PM (1 ms) : Custom OID 1.3.6.1.4.1.23128.1.3.3.1

      2014/11/12 01:52:12 PM (5 ms) : -------

      2014/11/12 01:52:12 PM (5 ms) : Value: No Such Name (SNMP error # 2)

      2014/11/12 01:52:12 PM (6 ms) : Done

       

       

      ----------------------- New Test -----------------------

      Paessler SNMP Tester 5.1.3

      2014/11/12 01:52:18 PM (1 ms) : Device: 10.x.y.z

      2014/11/12 01:52:18 PM (2 ms) : SNMP V2c

      2014/11/12 01:52:18 PM (3 ms) : Custom OID 1.3.6.1.4.1.23128.1.3.3.1

      2014/11/12 01:52:18 PM (8 ms) : -------

      2014/11/12 01:52:18 PM (9 ms) : Value: No such object (SNMP error # 222)

      2014/11/12 01:52:18 PM (10 ms) : Done

       

      ===============

       

      I tried both SNMP version 1 and 2c as shown above.

       

      I would appreciate any advice or pointers on how to retrieve the SNMP data from the appliances. I am by no means a SNMP expert - so any help will be greatly appreciated.

       

      Regards

       

      Derick

        • 1. Re: Retrieving SNMP data from SIEM appliances.
          sroering

          Documentation is scarce but here are a few tips about getting information about some attached devices (receiver, elm). This doesn't work for ADM.

           

          First, only the ESM needs to be queried. You pull information about the other devices from the ESM.

          Second, to query information about the other appliances, you need to know the device ID taken from the ESM system properties.

          snmp_config.png

          Third, the information that can be queried are based on the “receiver” objects in the MIB file. (1.3.6.1.4.1.23128.1.3.3)

          For ELM, ACE, Receiver:

          All you need to do is append the device ID to the end of the OID for each property. Note (not all OIDs seem to be supported for the ELM)

          device name: 1.3.6.1.4.1.23128.1.3.3.1
          device UID: 1.3.6.1.4.1.23128.1.3.3.2
          device comm status (1: available, 0: not available): 1.3.6.1.4.1.23128.1.3.3.3
          device status: 1.3.6.1.4.1.23128.1.3.3.4
          device cpu load %: 1.3.6.1.4.1.23128.1.3.3.5
          device total RAM; 1.3.6.1.4.1.23128.1.3.3.6
          device RAM free; 1.3.6.1.4.1.23128.1.3.3.7
          device total DB space; 1.3.6.1.4.1.23128.1.3.3.8
          etc..
          flow rate; 1.3.6.1.4.1.23128.1.3.3.15

          Here are some examples based on my screenshot

          snmpget -v1 -c public 10.10.93.15 1.3.6.1.4.1.23128.1.3.3.1.6
          iso.3.6.1.4.1.23128.1.3.3.1.6 = STRING: “Receiver 10.10.93.20”

          # snmpget -v1 -c public 10.10.93.15 1.3.6.1.4.1.23128.1.3.3.2.1
          iso.3.6.1.4.1.23128.1.3.3.1.1 = STRING: “Local Receiver-ELM”

          # snmpget -v1 -c public 10.10.93.15 1.3.6.1.4.1.23128.1.3.3.3.6
          iso.3.6.1.4.1.23128.1.3.3.3.6 = Gauge32: 1

           

          For ADM/APM

          You use similar instructions as above, but with slightly different OID.

          1.3.6.1.4.1.23128.1.3.30.<heath_param>.0

           

          where <health_param> = 1 through 14

           

          Example

          # snmpget -v1 -c public 10.10.93.15 1.3.6.1.4.1.23128.1.3.30.14.0

          iso.3.6.1.4.1.23128.1.3.30.14.0 = Gauge32: 0

          • 2. Re: Retrieving SNMP data from SIEM appliances.
            aygitci

            Hi,

             

            Thanks for the information. Do you know how we can send alarms via snmp to our supervision tool centreon (like nagios).

            I have difficulty to do it.

             

            Thanks for help

            Regards

             

            AyGitci

            • 3. Re: Retrieving SNMP data from SIEM appliances.
              ravismallah

              Hi AyGitci

               

              snmp-profile.jpg

              From the ESM managment window you can create your snmp profile , where in the ip address you will require to put the ip address of you target server.

               

              recpt-snmp.jpg

              From the same management window select alarms ---> setting , in setting you have to configure two things recipient and secondly template, in template you can add all the variable which you plan to forward to  the monitoring server.

              recpt.jpg

              Recipient tab will allow you to configure target.Remember to put Enterprise OID same as the one mentioned in the pic. The profile contains the profile created in earlier step.


              If you are still facing issue you can pm me.


              Regards

              Ravi Mallah