IBM Support

QRadar: Test if SNMP Daemon is correctly running on the QRadar appliance

Troubleshooting


Problem

After SNMP is enabled on the QRadar appliances, you might need to test if SNMP is listening and replying to SNMP queries.

Cause

In some cases, a network-related issues might prevent SNMP monitors from reaching QRadar® appliances.

Resolving The Problem

The snmpwalk command great utility to test whether the QRadar appliance is accepting SNMP requests.
Procedure
  1. Log in to the QRadar UI as an admin user.
  2. Click on the Admin tab > System Settings > Advanced.
  3. Scroll to Embedded SNMP Daemon Settings.
  4. Verify that the Daemon Port is 8001, the Community String is public, and Enabled = Yes.
  5. If changes are made, click Save.
    Important:     Deploy Changes might result in services being restarted. While services are restarting, event processing stops until services restart. Scheduled reports that are in-progress need to be manually restarted by users. Administrators with strict outage policies are advised to complete the next step during a scheduled maintenance window for their organization.
  6. Click Deploy Changes.
  7. Use SSH to log in to your Console,
  8. From the Console use SSH to connect to the appliance you need to test SNMP.
  9. Use a text editor to update /opt/qradar/conf/iptables.pre with the iptable rule: 
    -A OUTPUT -m udp -p udp --dport 8001 -j ACCEPT
    Note: Opening port 8001 results in any source being able to respond to an SNMP query.
  10. Run the command:
  11. To update iptables, run the command: 
    /opt/qradar/bin/iptables_update.pl

    ​snmpwalk -Os -c public -v 2c localhost:8001 iso.3.6.1.2.1.1.1
  12. A similar system's description output is returned. 
    sysDescr.0 = STRING: Linux <hostname> 3.10.0-1160.6.1.el7.x86_64 #1 SMP Wed Oct 21 13:44:38 EDT 2020 x86_64
Results
The command confirms that the SNMP service is up and running. Administrators can run this command on all appliances to confirm that they are ready to accept SNMP queries.
 

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwsyAAA","label":"Admin Tasks"}],"ARM Case Number":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Versions"}]

Document Information

Modified date:
30 June 2021

UID

swg21993313

Page Feedback