Question & Answer
Question
How is Simple Network Management Protocol (SNMP) used in QRadar?
Cause
QRadar can be configured to send SNMP traps to another system.
Answer
QRadar uses SNMP trap configuration for 3 different areas:
Event collection - Receiving SNMP events from other systems
The event collection service (ecs) on QRadar collector and processor can receive events from other systems through SNMP Protocol.
In order to collect SNMP data:
- By default,
snmpport 162 is disabled on QRadar hosts. The followingiptablesandnetstatcommands returns no results:[root@hostname ~]# iptables -nvL | grep 162 [root@hostname ~]# netstat -nlp | grep 162 [root@hostname ~]# - A log source must be created. QRadar supports both SNMP V2 and V3 versions:
SNMPv2 protocol configuration options
SNMPv3 protocol configuration options
- A Full Deploy processed in order for port to be opened and listening.
Note: a Full Deploy needs to be processed during a maintenance window.[root@hostname ~]# iptables -nvL | grep 162 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:162 [root@hostname ~]# netstat -nlp | grep 162 udp 0 0 :::162 :::* 30064/ecs
Custom Rules - Sending out SNMP messages as response actions from rules
In the Custom Rules window, SNMP is also used as part of a Rules response. The Custom Rule Engine (CRE) might send SNMP messages to other systems when some rule fires response based on its criteria.
- This functionality is not enabled by default and must be enabled through Admin > System Settings.
- Under SNMP Settings section, change Disabled to version used: SNMPv2c or SNMPv3.
- Specify Destination Host.
- Select Destination Port.
- For SNMPv2c, specify Community string.
- For SNMPv3, specify Username, Security Level, Authentication Protocol, Authentication Password, Privacy Protocol, and Privacy Password.
- Select Save.
- Optional: create a custom rule.
- A Full Deploy processed in order for port to be opened and listening.
Note: a Full Deploy needs to be processed during a maintenance window.
After a rule is fired, you can check whether SNMP traps are sent by running
tcpdump over port 162:
tcpdump -nnAs0 -i <management interface> port 162
Monitoring - Responding to SNMP queries about process and health
This SNMP feature allows remote SNMP polling from other system to query QRadar about its system health.
By default, port 8001 is used as 162 is used for event collection.
Note: SNMP version 2 is supported.
- To enable this service, go to Admin > System Settings.
- Go to Embedded SNMP Daemon Settings.
- Change Enabled to Yes.
- Add to IP Access List the monitoring server.
- Update Daemon Port and Community String as needed.
- A Full Deploy processed in order for port to be opened and listening.
Note: a Full Deploy needs to be processed during a maintenance window.
Result
- To verify whether snmpd service is running, use commands
netstatandiptables:[root@hostname ~]# netstat -nlp | grep 8001 udp 0 0 0.0.0.0:8001 0.0.0.0:* 26593/snmpd [root@hostname ~]# iptables -nvL | grep 8001 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:8001 - Test with SNMP query:
Follow this guide for further troubleshooting:snmpwalk -Os -c public -v 2c localhost:8001 iso.3.6.1.2.1.1.1
QRadar: Test if SNMP Daemon is correctly running on the QRadar appliance
[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwsyAAA","label":"Admin Tasks"}],"ARM Case Number":"TS011968779","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]
Was this topic helpful?
Document Information
Modified date:
27 June 2023
UID
ibm16998413