Customizing the SNMP trap output

IBM QRadar uses SNMP to send traps that provide information when rule conditions are met.

By default, QRadar uses the QRadar management information base (MIB) to manage the devices in the communications network. However, you can customize the output of the SNMP traps to adhere to another MIB.

Important: SNMPv3 rule responses are sent out as SNMP informs and not traps.

Procedure

  1. Use SSH to log in to QRadar as the root user.
  2. Go to the /opt/qradar/conf directory and make backup copies of the following files:
    • eventCRE.snmp.xml
    • offenseCRE.snmp.xml
  3. Open the configuration file for editing.
    • To edit the SNMP parameters for event rules, open the eventCRE.snmp.xml file.
    • To edit the SNMP parameters for offense rules, open the offenseCRE.snmp.xml file.
  4. To change the trap that is used for SNMP trap notification, update the following text with the appropriate trap object identifier (OID): 
    -<creSNMPTrap version="3" OID="1.3.6.1.4.1.20212.1.1" 
name="eventCRENotification">
  5. Use the following table to help you update the variable binding information:

    Each variable binding associates a particular MIB object instance with its current value.

    Table 1. Value types for variable binding
    Value type Description Example

    string

    Alphanumeric characters

    You can configure multiple values.

    		  

    integer32

    A numerical value

    		 
    name="ATTACKER_PORT" 
type="integer32">%ATTACKER_PORT%

    oid

    Each SNMP trap carries an identifier that is assigned to an object within the MIB

    		 OID="1.3.6.1.4.1.20212.2.46"

    gauge32

    A numerical value range

    		  

    counter64

    A numerical value that increments within a defined minimum and maximum range

    		  
  6. For each of the value types, include any of the following fields:
    Table 2. Fields for the variable bindings
    Field Description Example

    Native

    For more information about these fields, see the /opt/qradar/conf/snmp.help file.
    Example: 1If the value type is ipAddress, you must use a variable that is an IP address. The string value type accepts any format.

    Custom

    Custom SNMP trap information that you configured for the custom rules wizard
    Example: 1If you used the default file information and want to include this information in the SNMP trap, include the following code: 
    <variableBinding name="My Color Variable Binding"  
OID="1.3.6.1.4.1.20212.3.1" type="string">
My favorite color  
is %MyColor%</variableBinding>

    1Surround the field name with percentage (%) signs. Within the percentage signs, fields must match the value type.

  7. Save and close the file.
  8. Copy the file from the /opt/qradar/conf directory to the /store/configservices/staging/globalconfig directory.
  9. Log in to the QRadar as an administrator.
  10. On the navigation menu ( Navigation menu icon ), click Admin.
  11. Select Advanced > Deploy Full Configuration.
    Important: QRadar continues to collect events when you deploy the full configuration. When the event collection service must restart, QRadar does not restart it automatically. A message displays that gives you the option to cancel the deployment and restart the service at a more convenient time.