In IBM
QRadar,
you can edit the SNMP trap parameters to customize the information
that is sent to another SNMP managing system when a rule condition
is met.
Restriction: The SNMP trap parameters
are displayed in the custom rules wizard only if SNMP is enabled in
the QRadar system
settings.
Important: SNMPv3 rule responses are sent out as SNMP informs and
not traps.
-
Use SSH to log in to QRadar as
the root user.
-
Go to the /opt/qradar/conf directory
and make backup copies of the following files:
- eventCRE.snmp.xml
- offenseCRE.snmp.xml
-
Open the configuration file for editing.
- To edit the SNMP parameters for event rules, open the eventCRE.snmp.xml file.
- To edit the SNMP parameters for offense rules, open the offenseCRE.snmp.xml file.
-
Inside the <snmp> element and before the <creSNMPTrap>
element, insert the following section, updating the labels as needed:
<creSNMPResponse name="snmp_response_1">
<custom name="MyColor">
<string label="What is your favorite color?"/>
</custom>
<custom name="MyCategory">
<list label="Select a category">
<option label="Label1" value="Category1"/>
<option label="Label2" value="Category2"/>
</list>
</custom>
</creSNMPResponse>
-
Save and close the file.
-
Copy the file from the /opt/qradar/conf directory
to the /store/configservices/staging/globalconfig directory.
-
Log in to the QRadar interface.
-
On the Admin tab, select .
Important: QRadar continues to collect events
when you deploy the full configuration. When the event collection service must restart, QRadar does not restart it
automatically. A message displays that gives you the option to cancel the deployment and restart the
service at a more convenient time.