Monday, August 3, 2015

Integrating RSA 8.1 (SNMPv3 traps) with Splunk on CentoOS 6.6

While versions of RSA prior to 8.1 supported SNMP v2, version 8.1 only supports SNMP v3. To receive this data in Splunk, RSA needs to be configured to send traps to Splunk. The SNMP traps are then written to a file which is then read by Splunk . The assumption here is that if you are reading this document you are running splunk on CentOS (any Linux may work just fine with some tweaks) and using net-snmp. I’m using version 5.5.
Configuring The Basic SNMP v3 on RSA 
Note for the RSA your AES and SHA values must have some level of complexity. That is numbers, letters and special characters, etc.

 Configuring SNMP traps on the RSA

Configuring the SNMP v3 traps on CentOS
Stop the current snmptrapd service if it is currently running
“service snmptrapd stop”

Run tcpdump to ensure traffic is coming on port 162 from your RSA Servers
tcpdump -nnvi any port 162

By focusing on only port 162, the assumption is you have nothing else sending traps. If you do, you should consider using a tcpdump filter such as:
 tcpdump -nnvi any “host my_rsa_server and port 162”
Replace “my_rsa_server” with your own server IP

In another window run snmptrapd in debugging mode.
snmptrapd -On -Lsd -Lf snmp.log -p -D -d –f 

After a few packets have come in with the snmptrap from your rsa_server, switch back to the window running “snmptrapd” and kill the process with "CTRL+C"

 Grep'ing for the engineID
[root@securitynik ~]# cat /tmp/snmp.log | grep -i lcd
trace: set_enginetime(): lcd_time.c, 391:
lcd_set_enginetime: engineID 02 00 1A 88 80 AB 55 9B 5C 44 37 06 53 00 29 00

trace: set_enginetime(): lcd_time.c, 391:
lcd_set_enginetime: engineID 11 22 33 44 55 66 77 88 99 29 : boots=0, time=0

trace: set_enginetime(): lcd_time.c, 391:
lcd_set_enginetime: engineID 11 22 33 44 55 66 77 88 99 29 : boots=0, time=0

Configuring snmptrapd.conf

Add a line that contains the information below to “/var/lib/net-snmp/snmptrapd.conf”

createUser -e 0xengine_ID snmpv3_sending_user authentication_protocol authentication_password privacy_protocol privacy_passphrase

-e 0xEngine_ID - value represents the engine which was obtained above from the “grep –I lcd” output. The value we will use is “11 22 33 44 55 66 77 88 99 29”. This engine id needs to be prepended with “0x” and the spaces should be closed. So our new engine id looks like “0x11223344556677889929”

 snmpv3_sending_user – The user configured in the RSA basic config

authentication_protocol – either MD5 or SHA

authentication_password – Password specified on RSA

privacy_protocol – DES or AES

privacy_passphrase - Password specified on RSA

using the information above, our “/var/lib/net-snmp/snmptrapd.conf” will have the line below:

createUser -e 0x11223344556677889929 securitynik SHA "s3(urity#ik" AES "s3(urity#ik"

Now let’s add the following lines to our “/etc/snmp/snmptrapd.conf”

authUser log,execute,net forsythems

logOption f /var/log/snmptraps.log

start the snmptrapd service

“service snmptrapd start”

Assuming there is no error, a file named “snmptrapd.log” should have been created under “/var/log/”.

Configuring Splunk
From within Splunk select Settings -> Data Inputs -> Files and Directories
Select “New” to create your new file input which will point to snmptrap.log.
Browse to the /var/log/ and select the file snmptrap.log. Also select “Continuously Monitor”

After clicking next select your sourcetype
Define your Input settings
Review and done.

Assuming that the data was successfully written to "/var/log/snmptrap.log" and the Splunk configuration was successful, you should now be seeing authentication information, etc in your Splunk instace.

Thanks to Matt Deter of the SANS mailing list for pointing me in the right direction towards resolving some issues I was having with getting traps to be received successfully.


No comments:

Post a Comment