×


SNMP Trap v3 Configuration in Nagios - How to get it done ?

By default, the Nagios XI server will accept inbound SNMP v2 traps from any device. SNMP v3 traps will not be accepted by Nagios XI, unless the server is specifically configured for SNMP v3 traps.

The main difference between v2 and v3 traps is the authentication mechanisms.v2 is much simpler by design, whereas v3 has multiple layers of authentication to strengthen it.

Here at Ibmi Media, as part of our Server Management Services, we regularly help our  Customers to perform related Nagios errors.

In this context, we shall look into how to use Nagios XI servers to configure SNMP Trap v3.


How to configure SNMP Trap v3 in Nagios ?

Now we will see the steps to configure trap V3 for our customers.


1. SNMP v3 traps require the following:

i. Engine ID

With Engine ID we can identify the device sending the SNMP trap (engineID).

Each and every device will have a unique engineID which is a hexadecimal number, for example 0x0102030405.

We can refer to our device SNMP settings to determine what the engineID is.


ii. Username

Generally, this is a username that will help to authenticate the incoming trap. It is also known as the securityName.


iii. Security Level

The security level determines if passphrase(s) are required:


iv. noAuthNoPriv

The username does not require any passphrases


v. authNoPriv

The username requires an authentication passphrase

After gathering all the above requirements, we will be ready to configure snmptrapd to accept SNMP v3 traps.


2. Send Test Trap

To send a test trap, we can run the following command:

snmptrap -v <snmp_version> -e <engine_id> -u <security_username> -a <authentication_protocal> -A <authentication_protocal_pass_phrase> -x <privacy_protocol> -X <privacy_protocol_pass_phrase> <destination_host> <uptime> <OID_or_MIB> <object> <value_type> <value>

When the Nagios XI server receives this, it will be logged in the /var/log/snmptt/snmpttunknown.log file.


3. Default Configuration

The default SNMP Trap configuration is found in the /etc/snmp/snmptrapd.conf file. It contains the following two lines:

disableAuthorization yes
traphandle default /usr/sbin/snmptthandler

The disableAuthorization directive allows SNMP v2 traps from any device to be sent to Nagios XI.

For disabling this we can comment out the disableAuthorization directive by adding a # to the beginning of the line.

#disableAuthorization yes
traphandle default /usr/sbin/snmptthandler


Some other authorization methods:

Following are other methods that we can use for authorization:

1. Restrict To SNMP v3 User – noAuthNoPriv

Here we will allow SNMP v3 traps from the user called user_one for noAuthNoPriv.

Following are the changes that will be made to the configuration:

#disableAuthorization yes
createUser -e 0x0102030405 user_one
authUser log,execute user_one noauth
traphandle default /usr/sbin/snmptthandler

After making the change, we will need to restart the snmptrapd service and send a test trap to confirm the settings are correct.


2. Restrict To SNMP v3 User – authNoPriv

Here we will allow SNMP v3 traps from the user called user_two for authNoPriv.

Following are the changes that will be made to the configuration:

#disableAuthorization yes
createUser -e 0x0102030405 user_one
authUser log,execute user_one noauth
createUser -e 0x0203040506 user_two SHA "Auth3nticati0n PASSPHRAS3"
authUser log,execute user_two
traphandle default /usr/sbin/snmptthandler

Finally, restart the snmptrapd service.


3. Restrict To SNMP v3 User – authPriv

Here we will allow SNMP v3 traps from the user called user_three for authPriv.

Following are the changes that will be made to the configuration:

#disableAuthorization yes
createUser -e 0x0102030405 user_one
authUser log,execute user_one noauth
createUser -e 0x0203040506 user_two SHA "Auth3nticati0n PASSPHRAS3"
authUser log,execute user_two
createUser -e 0x0304050607 user_three SHA "Auth3nticati0n PASSPHRAS3" AES "3ncrypti0n PASSPHRAS3"
authUser log,execute user_three
traphandle default /usr/sbin/snmptthandler

Finally, after making the changes we must restart snmptrapd service.


4. Restart SNMPTRAPD Service

It is important that whenever we make a change to the /etc/snmp/snmptrapd.conf file, we must restart the snmptrapd service with the following command:

RHEL 7+|CentOS 7+|Debian|Ubuntu 16/18/20

$ systemctl restart snmptrapd.service


[Need support in fixing Ubuntu related Software Packages Installation tasks? We can be of help yo you. ]


Conclusion

This article covers How to configure SNMP Trap v3 on the Nagios XI server.

The main difference between v2 and v3 traps is the authentication mechanisms. v2 is much simpler by design whereas v3 has multiple layers of authentication to strengthen it. Probably the biggest difference is that the SNMP Trap Daemon (snmptrapd) is configured by default to accept v2 traps from any device regardless of what SNMP community is provided. 

However snmptrapd cannot be configured to accept traps v3 from any device, it must be configured before it can receive an SNMP v3 trap.


The default SNMP Trap configuration is stored in the /etc/snmp/snmptrapd.conf file and contains just two lines:

disableAuthorization yes
traphandle default /usr/sbin/snmptthandler

 

The disableAuthorization directive allows SNMP v2 traps from any device to be sent to Nagios XI. 

Even if this line exists the Nagios XI server will not be able to receive SNMP v3 traps unless the server has been specifically configured for SNMP v3 traps.