By default, the Nagios XI server will accept inbound SNMP v2 traps from any device. SNMP v3 traps will not be accepted by Nagios XI, unless the server is specifically configured for SNMP v3 traps.
The main difference between v2 and v3 traps is the authentication mechanisms.v2 is much simpler by design, whereas v3 has multiple layers of authentication to strengthen it.
Here at Ibmi Media, as part of our Server Management Services, we regularly help our Customers to perform related Nagios errors.
In this context, we shall look into how to use Nagios XI servers to configure SNMP Trap v3.
Now we will see the steps to configure trap V3 for our customers.
1. SNMP v3 traps require the following:
i. Engine ID
With Engine ID we can identify the device sending the SNMP trap (engineID).
Each and every device will have a unique engineID which is a hexadecimal number, for example 0x0102030405.
We can refer to our device SNMP settings to determine what the engineID is.
ii. Username
Generally, this is a username that will help to authenticate the incoming trap. It is also known as the securityName.
iii. Security Level
The security level determines if passphrase(s) are required:
iv. noAuthNoPriv
The username does not require any passphrases
v. authNoPriv
The username requires an authentication passphrase
After gathering all the above requirements, we will be ready to configure snmptrapd to accept SNMP v3 traps.
2. Send Test Trap
To send a test trap, we can run the following command:
snmptrap -v <snmp_version> -e <engine_id> -u <security_username> -a <authentication_protocal> -A <authentication_protocal_pass_phrase> -x <privacy_protocol> -X <privacy_protocol_pass_phrase> <destination_host> <uptime> <OID_or_MIB> <object> <value_type> <value>
When the Nagios XI server receives this, it will be logged in the /var/log/snmptt/snmpttunknown.log file.
3. Default Configuration
The default SNMP Trap configuration is found in the /etc/snmp/snmptrapd.conf file. It contains the following two lines:
disableAuthorization yes
traphandle default /usr/sbin/snmptthandler
The disableAuthorization directive allows SNMP v2 traps from any device to be sent to Nagios XI.
For disabling this we can comment out the disableAuthorization directive by adding a # to the beginning of the line.
#disableAuthorization yes
traphandle default /usr/sbin/snmptthandler
Following are other methods that we can use for authorization:
1. Restrict To SNMP v3 User – noAuthNoPriv
Here we will allow SNMP v3 traps from the user called user_one for noAuthNoPriv.
Following are the changes that will be made to the configuration:
#disableAuthorization yes
createUser -e 0x0102030405 user_one
authUser log,execute user_one noauth
traphandle default /usr/sbin/snmptthandler
After making the change, we will need to restart the snmptrapd service and send a test trap to confirm the settings are correct.
2. Restrict To SNMP v3 User – authNoPriv
Here we will allow SNMP v3 traps from the user called user_two for authNoPriv.
Following are the changes that will be made to the configuration:
#disableAuthorization yes
createUser -e 0x0102030405 user_one
authUser log,execute user_one noauth
createUser -e 0x0203040506 user_two SHA "Auth3nticati0n PASSPHRAS3"
authUser log,execute user_two
traphandle default /usr/sbin/snmptthandler
Finally, restart the snmptrapd service.
3. Restrict To SNMP v3 User – authPriv
Here we will allow SNMP v3 traps from the user called user_three for authPriv.
Following are the changes that will be made to the configuration:
#disableAuthorization yes
createUser -e 0x0102030405 user_one
authUser log,execute user_one noauth
createUser -e 0x0203040506 user_two SHA "Auth3nticati0n PASSPHRAS3"
authUser log,execute user_two
createUser -e 0x0304050607 user_three SHA "Auth3nticati0n PASSPHRAS3" AES "3ncrypti0n PASSPHRAS3"
authUser log,execute user_three
traphandle default /usr/sbin/snmptthandler
Finally, after making the changes we must restart snmptrapd service.
4. Restart SNMPTRAPD Service
It is important that whenever we make a change to the /etc/snmp/snmptrapd.conf file, we must restart the snmptrapd service with the following command:
RHEL 7+|CentOS 7+|Debian|Ubuntu 16/18/20
$ systemctl restart snmptrapd.service
This article covers How to configure SNMP Trap v3 on the Nagios XI server.
The main difference between v2 and v3 traps is the authentication mechanisms. v2 is much simpler by design whereas v3 has multiple layers of authentication to strengthen it. Probably the biggest difference is that the SNMP Trap Daemon (snmptrapd) is configured by default to accept v2 traps from any device regardless of what SNMP community is provided.
However snmptrapd cannot be configured to accept traps v3 from any device, it must be configured before it can receive an SNMP v3 trap.
The default SNMP Trap configuration is stored in the /etc/snmp/snmptrapd.conf file and contains just two lines:
disableAuthorization yes
traphandle default /usr/sbin/snmptthandler
The disableAuthorization directive allows SNMP v2 traps from any device to be sent to Nagios XI.
Even if this line exists the Nagios XI server will not be able to receive SNMP v3 traps unless the server has been specifically configured for SNMP v3 traps.