While versions of RSA prior to 8.1 supported SNMP v2, version
8.1 only supports SNMP v3. To receive this data in Splunk, RSA needs to be
configured to send traps to Splunk. The SNMP traps are then written to a file
which is then read by Splunk . The assumption here is that if you are reading
this document you are running splunk on CentOS (any Linux may work just fine
with some tweaks) and using net-snmp. I’m using version 5.5.
Configuring The Basic SNMP v3 on RSA
Note for the RSA your AES and SHA values must have some level of complexity. That is numbers, letters and special characters, etc.
Configuring SNMP traps on the RSA
Configuring the SNMP v3 traps on CentOS
Stop the current snmptrapd service if it is currently
running
“service snmptrapd stop”
“service snmptrapd stop”
Run tcpdump to ensure traffic is coming on port 162 from
your RSA Servers
tcpdump -nnvi any port 162
By focusing on only port 162, the assumption is you have
nothing else sending traps. If you do, you should consider using a tcpdump
filter such as:
tcpdump -nnvi any “host my_rsa_server and port 162”
Replace “my_rsa_server” with your own server IP
In another window run snmptrapd in debugging mode.
snmptrapd -On -Lsd -Lf snmp.log -p snmptrapd.pid -D -d –f
After a few packets have come in with the snmptrap from your rsa_server, switch back to the window running “snmptrapd” and kill the process with "CTRL+C"
Grep'ing for the engineID
Grep'ing for the engineID
[root@securitynik ~]# cat /tmp/snmp.log | grep -i lcd
trace: set_enginetime(): lcd_time.c, 391:
lcd_set_enginetime: engineID 02 00 1A 88 80 AB 55 9B 5C 44 37 06 53 00 29 00
trace: set_enginetime(): lcd_time.c, 391:
lcd_set_enginetime: engineID 11 22 33 44 55 66 77 88 99 29 : boots=0, time=0
trace: set_enginetime(): lcd_time.c, 391:
lcd_set_enginetime: engineID 11 22 33 44 55 66 77 88 99 29 : boots=0, time=0
Configuring snmptrapd.conf
Add a line that contains the information below to “/var/lib/net-snmp/snmptrapd.conf”
createUser -e 0xengine_ID snmpv3_sending_user authentication_protocol authentication_password privacy_protocol privacy_passphrase
-e 0xEngine_ID - value represents the engine which was obtained above from the “grep –I lcd” output. The value we will use is “11 22 33 44 55 66 77 88 99 29”. This engine id needs to be prepended with “0x” and the spaces should be closed. So our new engine id looks like “0x11223344556677889929”
snmpv3_sending_user – The user configured in the RSA basic config
authentication_protocol – either MD5 or SHA
authentication_password – Password specified on RSA
privacy_protocol – DES or AES
privacy_passphrase - Password specified on RSA
using the information above, our “/var/lib/net-snmp/snmptrapd.conf” will have the line below:
createUser -e 0x11223344556677889929 securitynik SHA "s3(urity#ik" AES "s3(urity#ik"
Now let’s add the following lines to our “/etc/snmp/snmptrapd.conf”
authUser log,execute,net forsythems
logOption f /var/log/snmptraps.log
createUser -e 0xengine_ID snmpv3_sending_user authentication_protocol authentication_password privacy_protocol privacy_passphrase
-e 0xEngine_ID - value represents the engine which was obtained above from the “grep –I lcd” output. The value we will use is “11 22 33 44 55 66 77 88 99 29”. This engine id needs to be prepended with “0x” and the spaces should be closed. So our new engine id looks like “0x11223344556677889929”
snmpv3_sending_user – The user configured in the RSA basic config
authentication_protocol – either MD5 or SHA
authentication_password – Password specified on RSA
privacy_protocol – DES or AES
privacy_passphrase - Password specified on RSA
using the information above, our “/var/lib/net-snmp/snmptrapd.conf” will have the line below:
createUser -e 0x11223344556677889929 securitynik SHA "s3(urity#ik" AES "s3(urity#ik"
Now let’s add the following lines to our “/etc/snmp/snmptrapd.conf”
authUser log,execute,net forsythems
logOption f /var/log/snmptraps.log
start the snmptrapd service
“service snmptrapd start”
“service snmptrapd start”
Assuming there is no error, a file named “snmptrapd.log”
should have been created under “/var/log/”.
Configuring Splunk
From within Splunk select Settings -> Data Inputs ->
Files and Directories
Select “New” to create your new file input which will point
to snmptrap.log.
Browse to the /var/log/ and select the file snmptrap.log.
Also select “Continuously Monitor”
After clicking next select your sourcetype
After clicking next select your sourcetype
Define your Input settings
Review and done.
Assuming that the data was successfully written to
"/var/log/snmptrap.log" and the Splunk configuration was successful, you should
now be seeing authentication information, etc in your Splunk instace.
Thanks to Matt Deter of the SANS mailing list for pointing me in the right direction towards resolving some issues I was having with getting traps to be received successfully.
References:
No comments:
Post a Comment