Understanding SNMP in a SIEM environment and Monitoring RELIANOID Appliance

View Categories

Understanding SNMP in a SIEM environment and Monitoring RELIANOID Appliance

13 min read

An introduction to SNMP #

SNMP or Simple Network Management Protocol is an application layer protocol defined by the IETF in it’s current amend RFC 1157. SNMP base its data representation in an ASN.1 (presentation layer protocol) modification, defined also by the IETF in the RFC 1065 as SMI (Structure and Identification of Management Information).

SNMP allows two ways of working, synchronous (or polling) and asynchronous. The synchronous mode is the most common way of using SNMP, it works by sending PDUs (Protocol Data Units) to managed devices which implements SNMP in the network, those PDU could be for data retrieval (GetRequest) which requires a response from the device (GetResponse) or to set a value in a specific object (SetRequest).

SNMP in asynchronous mode works by the use of traps. Traps are unsolicited alert PDUs sent by the managed device to a central trap collector station, those traps are the indicator that a critical event has happened in the monitored device, for example, overheating or too much memory usage and are directed to the UDP port 162.

MIB – Management Information Base #

Each object which could be managed by SNMP are grouped hierarchically and represented in a special file called MIB files, those MIBs are descriptors of groups of managed objects organized by under a tree of OIDs (Object Identifiers) which identifies each object in a unique way.

One of the most common MIB files is defined by the IETF in the MIB-II.

SNMP – Architecture #

SNMP defines 3 types of entities in its architecture:

Network Management Stations: Execute management applications to control and monitor the network elements.
Network elements: Devices such as a RELIANOID Load Balancer which will be monitored by the network management station.
Agents: Software responsible for executing orders sent by the network management stations, like retrieving the value of a specific OID.

In the following picture, it’s shown an example of an usual SNMP architecture in a network:

Configuring SNMP in RELIANOID Appliances #

RELIANOID appliances come with an SNMP agent implemented on it allowing the Debian GNU/Linux default OIDs to be polled synchronously by a network management station in order to control the state of the load balancer.

To configure SNMP in RELIANOID appliances, it could be done in an easy way through the web GUI as follows:

1. Navigate to the appliance web GUI and go to the section System > Local Services on the sidebar:

2. Enable the SNMP checkbox and configure the interface from which the incoming requests will be allowed. It’s recommendable to set up here the management interface.

3. We can change the listening port and the community name, notice that the such name is required when requesting an OID and should be included in the request.

4. The last field is the IP address or subnet from which the service will allow incoming requests.

With this service your application delivery can be monitor in a centralized SIEM platform in order to ensure the right traffic behavior.

Please find below some useful SNMP OIDs in order to monitor properly a load balancer. Note that there are a lot of different OIDs to use, so we recommend to use a tool like snmptranslate in order to translate them to a more understandable name for network managers.

SNMPv3 Configuration #

SNMPv3, or Simple Network Management Protocol version 3, represents a significant enhancement in security and functionality over its predecessors. It addresses the vulnerabilities of SNMPv1 and SNMPv2 by providing authentication, encryption, and access control features. SNMPv3 introduces the concept of security models, including User-based Security Model (USM) and View-based Access Control Model (VACM), ensuring that only authorized users can access and manage network devices. Authentication mechanisms such as MD5 and SHA are utilized for data integrity, while encryption methods like DES and AES ensure confidentiality, making SNMPv3 the preferred choice for secure network management in modern environments.

To configure SNMPv3 in the snmpd.conf file, several parameters need to be set. Firstly, authentication and privacy protocols must be specified using the createUser directive, including the username, authentication protocol (e.g., MD5 or SHA), authentication passphrase, privacy protocol (e.g., DES or AES), and privacy passphrase. Access control is managed through the rouser directive, defining the authorized users and their access privileges. Additionally, the com2sec directive establishes the community-to-security name mapping, linking community strings to security names, while the access directive specifies the access control rules, determining which security names can access which MIB objects. Finally, the syslocation and syscontact directives can be used to set the system location and contact information for SNMP traps and notifications. Through careful configuration of these parameters, SNMPv3 can be effectively deployed to ensure secure and efficient network management.

In order to successfully apply a SNMPv3 configuration in SNMPd, enable SNMP service in the RELIANOID Load Balancer as explained above and then edit the /etc/snmp/snmpd.conf file using the template below and uncomment the createuser, createuser and rouser. If additionally, SNMPv3 traps are required then uncomment the SNMPv3 trapsess section.

agentAddress udp:0.0.0.0:161
rocommunity public 0.0.0.0/0

trapcommunity public
authtrapenable 1

## ATTENTION: Use this user to access to the trap server, change <SNMPTRAP_USER>, <AUTHPASS> and <PRIVPASS>
#createuser <SNMPTRAP_USER> SHA <AUTHPASS> AES <PRIVPASS>
#iquerysecname <SNMPTRAP_USER>
#rouser <SNMPTRAP_USER>

## SNMPv1 remote trap, uncomment the line below and change <HOST> and <PORT>
#trapsink <HOST> <PORT>

## SNMPv2 remote trap, uncomment the line below and change <HOST> and <PORT>
#trap2sink <HOST>
#trapsess -Ci --clientaddr=<HOST> -v 2c

## SNMPv3: remote trap, uncomment the line below and change <AUTHPASS>, <PRIVPASS> and <HOST>
## Gather the <ENGINEID> for every node with this command:
## ENGINEID=`grep oldEngineID /var/lib/snmp/snmpd.conf | awk -F ' ' '{printf $2}'`
#trapsess -Ci -v 3 -u <SNMPTRAP_USER> -e <ENGINEID> -l authPriv -a SHA -A <AUTHPASS> -x AES -X <PRIVPASS> <HOST>

linkUpDownNotifications yes
defaultMonitors yes

# check processes consuming more than 100 MB of memory
monitor -r 30 -o hrSWRunName "high process memory" hrSWRunPerfMem > 100000
# check if the network traffic is more than 100Mb/s aprox in any interface
monitor -D -r 30 "network traffic" ifInOctets 0 100000000000
# check for disk problems
monitor -o dskPath -r 30 -o dskErrorMsg  "dskTable" dskErrorFlag !=0

includeAllDisks 10%
load 7

Finally, restart the snmpd service executing:

root@ee-noid-01:~# systemctl restart snmpd.service

Generic MIB-II OIDs #

Official MIB files can be found at the path /usr/share/snmp/mibs/ in the load balancer.

memTotalSwap #

OID: 1.3.6.1.4.1.2021.4.3.0
MIB: UCD-SNMP-MIB
Total swap space configured for the host in kB.

memAvailSwap #

OID: 1.3.6.1.4.1.2021.4.4.0
MIB: UCD-SNMP-MIB
Swap space currently available in kB.

memTotalReal #

OID: 1.3.6.1.4.1.2021.4.5.0
MIB: UCD-SNMP-MIB
Real memory installed on the host in kB.

memAvailReal #

OID: 1.3.6.1.4.1.2021.4.6.0
MIB: UCD-SNMP-MIB
Real memory available in kB.

memTotalFree #

OID: 1.3.6.1.4.1.2021.4.11.0
MIB: UCD-SNMP-MIB
Total of free memory in kB.

memShared #

OID: 1.3.6.1.4.1.2021.4.13.0
MIB: UCD-SNMP-MIB
Total of real or virtual memory allocated for use as shared memory in kB.

memBuffer #

OID: 1.3.6.1.4.1.2021.4.14.0
MIB: UCD-SNMP-MIB
Total of real or virtual memory allocated for use as memory buffer in kB.

memCached #

OID: 1.3.6.1.4.1.2021.4.15.0
MIB: UCD-SNMP-MIB
Total of real or virtual memory allocated for use as cache memory in kB.

laLoad/1 #

OID: 1.3.6.1.4.1.2021.10.1.3.1
MIB: UCD-SNMP-MIB
1 minute CPU Load.

laLoad/2 #

OID: 1.3.6.1.4.1.2021.10.1.3.2
MIB: UCD-SNMP-MIB
5 minute CPU Load.

laLoad/3 #

OID: 1.3.6.1.4.1.2021.10.1.3.3
MIB: UCD-SNMP-MIB
15 minute CPU Load.

SsCpuSystem #

OID: 1.3.6.1.4.1.2021.11.10.0
MIB: UCD-SNMP-MIB
Percentages of system CPU processing system-level time.

ssCpuRawSystem #

OID: 1.3.6.1.4.1.2021.11.52.0
MIB: UCD-SNMP-MIB
Ticks spent in system-level code.

ssCpuIdle #

OID: 1.3.6.1.4.1.2021.11.11.0
MIB: UCD-SNMP-MIB
Percentage of processor time in idle state.

ssCpuRawIdle #

OID: 1.3.6.1.4.1.2021.11.53.0
MIB: UCD-SNMP-MIB
Ticks spent idly per CPU.

ifNumber #

OID: 1.3.6.1.2.1.2.1
MIB: IF-MIB
Number of interfaces in the system.

ifTable #

OID: 1.3.6.1.2.1.2.2
MIB: IF-MIB
This OID corresponds with a table in the MIB2. Note that tables are different in their representation than scalar objects. Imagine a table with an OID xTable, with columns Coli and index i, to gain access to the column Col1 and index 1, we should request a snmpget for xTable.xEntry.Col1.1, where xEntry has only a conceptual meaning, we can also get all entries of a column Col1 with an snmpwalk to xTable.xEntry.Col1 or get the full table with a snmpwalk to its OID (xTable.xEntry). Lets what we get as columns:

ifDescr #

OID: 1.3.6.1.2.1.2.2.1.2
MIB: IF-MIB
Interfaces names.

ifType #

OID: 1.3.6.1.2.1.2.2.1.3
MIB: IF-MIB
Interfaces type, for example, ethernet.

ifMtu #

OID: 1.3.6.1.2.1.2.2.1.4
MIB: IF-MIB
Maximum Transfer Unit.

ifSpeed #

OID: 1.3.6.1.2.1.2.2.1.5
MIB: IF-MIB
Current estimated or nominal bandwidth in b/s.

ifPhysAddress #

OID: 1.3.6.1.2.1.2.2.1.6
MIB: IF-MIB
Lower protocol layer address, for example, MAC address.

ifOperStatus #

OID: 1.3.6.1.2.1.2.2.1.8
MIB: IF-MIB
Current status.

ifInOctets #

OID: 1.3.6.1.2.1.2.2.1.10
MIB: IF-MIB
Number of incoming octets.

ifInUcastPkts #

OID: 1.3.6.1.2.1.2.2.1.11
MIB: IF-MIB
Number of incoming unicast packets.

ifInDiscards #

OID: 1.3.6.1.2.1.2.2.1.13
MIB: IF-MIB
Number of inbound packets discarded.

ifInErrors #

OID: 1.3.6.1.2.1.2.2.1.14
MIB: IF-MIB
Number of inbound packets with errors preventing them to be delivered.

ifOutOctets #

OID: 1.3.6.1.2.1.2.2.1.16
MIB: IF-MIB
Number of transmitted octets.

ifOutUcastPkts #

OID: 1.3.6.1.2.1.2.2.1.17
MIB: IF-MIB
Number of transmitted unicast packets.

ifOutDiscards #

OID: 1.3.6.1.2.1.2.2.1.19
MIB: IF-MIB
Number of transmitted packets discarded.

ifOutErrors #

OID: 1.3.6.1.2.1.2.2.1.20
MIB: IF-MIB
Number of outgoing packets with errors which couldn’t be transmitted.

RELIANOID ADC Enterprise OIDs #

noidHostname #

OID: 1.3.6.1.4.1.61269.1.0.1
MIB: RELIANOID-MIB
Hostname of the ADC.

noidHostIPAddress #

OID: 1.3.6.1.4.1.61269.1.0.2
MIB: RELIANOID-MIB
IP Address of the ADC.

noidLicenseExpDate #

OID: 1.3.6.1.4.1.61269.1.0.3
MIB: RELIANOID-MIB
License Expiration Date.

noidIpAddress #

OID: 1.3.6.1.4.1.61269.1.0.4
MIB: RELIANOID-MIB
IP Address of the related event.

noidInterfaceName #

OID: 1.3.6.1.4.1.61269.1.0.5
MIB: RELIANOID-MIB
Interface name of the related event.

noidSslExpDate #

OID: 1.3.6.1.4.1.61269.1.0.6
MIB: RELIANOID-MIB
Expiration Date for SSL Certificate.

noidSslCertName #

OID: 1.3.6.1.4.1.61269.1.0.7
MIB: RELIANOID-MIB
SSL Certificate Name of the related event.

noidAlarmName #

OID: 1.3.6.1.4.1.61269.1.0.8
MIB: RELIANOID-MIB
Name of the alarm raised.

noidAlarmSeverity #

OID: 1.3.6.1.4.1.61269.1.0.9
MIB: RELIANOID-MIB
Severity of the alarm raised, 1 for critical, 2 for major, 3 for minor, 4 for warning, 5 for clearing trap. The clearing trap is included as Varbind with noidAlarmClearing.

noidAlarmClearing #

OID: 1.3.6.1.4.1.61269.1.0.10
MIB: RELIANOID-MIB
OID of the Trap to be cleared. Included when noidAlarmSeverity is 5.

Generic MIB-II Traps #

linkDown #

OID: 1.3.6.1.6.3.1.1.5.3
Clearance OID: 1.3.6.1.6.3.1.1.5.4
MIB: IF-MIB
A linkDown trap signifies that the SNMP entity, acting in an agent role, has detected that the ifOperStatus object for one of its communication links is about to enter the down state from some other state (but not from the notPresent state). This other state is indicated by the included value of ifOperStatus.

linkUp #

OID: 1.3.6.1.6.3.1.1.5.4
MIB: IF-MIB
A linkUp trap signifies that the SNMP entity, acting in an agent role, has detected that the ifOperStatus object for one of its communication links left the down state and transitioned into some other state (but not into the notPresent state). This other state is indicated by the included value of ifOperStatus.

hrSWRunName #

OID: 1.3.6.1.2.1.25.4.2.1.2
MIB: HOST-RESOURCES-V2-MIB
A textual description of this running piece of software, including the manufacturer, revision, and the name by which it is commonly known. If this software was installed locally, this should be the same string as used in the corresponding hrSWInstalledName.

mteTriggerRising #

OID: 1.3.6.1.2.1.88.2.0.2
Clearance OID: 1.3.6.1.2.1.88.2.0.3
MIB: DISMAN-EVENT-MIB
Notification that the rising threshold was met for triggers with mteTriggerType ‘threshold’. The bandwidth of any network interface is above the specified threshold. It should be analyzed if the consumption is legitimate.

mteTriggerFalling #

OID: 1.3.6.1.2.1.88.2.0.3
MIB: DISMAN-EVENT-MIB
Notification that the falling threshold was met for triggers with mteTriggerType ‘threshold’. The bandwidth is normal.

dskErrorFlag #

OID: 1.3.6.1.4.1.2021.9.1.100
MIB: UCD-SNMP-MIB
Error flag signaling that the disk or partition is under the minimum required space configured for it. The load balancer file system is affected, some administration maintenance required. Check the disk status and open an issue to the Support Portal to be investigated.

laNames #

OID: 1.3.6.1.4.1.2021.10.1.3.1
MIB: UCD-SNMP-MIB
1 minute Load. The load balancer is overloaded, some processes could be inoperative.

RELIANOID ADC Enterprise Traps #

noidLicenseExpiration #

OID: 1.3.6.1.4.1.61269.1.1.1
Clearing OID: 1.3.6.1.4.1.61269.1.1.3
MIB: RELIANOID-MIB
The load balancer license is expiring soon. Request the renewal of the support service. Varbinds: noidAlarmName, noidAlarmSeverity, noidHostname.

noidLicenseInactive #

OID: 1.3.6.1.4.1.61269.1.1.2
Clearing OID: 1.3.6.1.4.1.61269.1.1.3
MIB: RELIANOID-MIB
The load balancer license is expired. Request the renewal of the support service. Varbinds: noidAlarmName, noidAlarmSeverity, noidHostname.

noidLicenseOK #

OID: 1.3.6.1.4.1.61269.1.1.3
MIB: RELIANOID-MIB
The load balancer license is ok. Varbinds: noidAlarmName, noidAlarmSeverity, noidHostname, noidAlarmClearing.

noidClusterNodeToPrimary #

OID: 1.3.6.1.4.1.61269.1.1.4
Clearing OID: 1.3.6.1.4.1.61269.1.1.5
MIB: RELIANOID-MIB
The cluster node has switched to Primary. Check the system logs of the load balancer to analyze the main reason of the switch. In the primary node, this OID will be the clearing event of clusterNodeToSecondary. Varbinds: noidAlarmName, noidAlarmSeverity, noidHostname, noidAlarmClearing.

noidClusterNodeToSecondary #

OID: 1.3.6.1.4.1.61269.1.1.5
Clearing OID: 1.3.6.1.4.1.61269.1.1.4
MIB: RELIANOID-MIB
The cluster node has switched to Secondary. Check the system logs of the load balancer to analyze the main reason of the switch. In the secondary node, this OID will be the clearing event of clusterNodeToPrimary. Varbinds: noidAlarmName, noidAlarmSeverity, noidHostname, noidAlarmClearing.

noidClusterAlert #

OID: 1.3.6.1.4.1.61269.1.1.6
MIB: RELIANOID-MIB
There is an alert related with the cluster. Check the description of the alarm and the system logs to analyze the main reason of the alarm. Varbinds: noidAlarmName, noidAlarmSeverity, noidHostname.

noidBackendDown #

OID: 1.3.6.1.4.1.61269.1.1.7
Clearing OID: 1.3.6.1.4.1.61269.1.1.8
MIB: RELIANOID-MIB
Backend is detected down. Check the alarm description and test the availability of the backend from the load balancer. Varbinds: noidAlarmName, noidAlarmSeverity, noidHostname, noidIpAddress.

noidBackendUp #

OID: 1.3.6.1.4.1.61269.1.1.8
MIB: RELIANOID-MIB
Backend is detected up. Varbinds: noidAlarmName, noidAlarmSeverity, noidHostname, noidIpAddress, noidAlarmClearing.

noidInterfaceDown #

OID: 1.3.6.1.4.1.61269.1.1.9
Clearing OID: 1.3.6.1.4.1.61269.1.1.10
MIB: RELIANOID-MIB
Interface is detected as down. Check the connectivity of the network interface. Varbinds: noidAlarmName, noidAlarmSeverity, noidHostname, noidInterfaceName.

noidInterfaceUp #

OID: 1.3.6.1.4.1.61269.1.1.10
MIB: RELIANOID-MIB
Interface is detected as up. Varbinds: noidAlarmName, noidAlarmSeverity, noidHostname, noidInterfaceName, noidAlarmClearing.

noidUpdateAvailable #

OID: 1.3.6.1.4.1.61269.1.1.11
Clearing OID: 1.3.6.1.4.1.61269.1.1.12
MIB: RELIANOID-MIB
Load Balancer updates available. Check the packages to update and prepare the update. Varbinds: noidAlarmName, noidAlarmSeverity, noidHostname.

noidUpdateOK #

OID: 1.3.6.1.4.1.61269.1.1.12
MIB: RELIANOID-MIB
Load Balancer is up to date. Varbinds: noidAlarmName, noidAlarmSeverity, noidHostname, noidAlarmClearing.

noidCertSSLExpiration #

OID: 1.3.6.1.4.1.61269.1.1.13
Clearing OID: 1.3.6.1.4.1.61269.1.1.14
MIB: RELIANOID-MIB
There is an SSL Certificate imported in the load balancer expired. Renew and import the certificate in the load balancer. Varbinds: noidAlarmName, noidAlarmSeverity, noidHostname, noidSslCertName.

noidCertSSLOK #

OID: 1.3.6.1.4.1.61269.1.1.14
MIB: RELIANOID-MIB
The SSL Certificates are valid. Varbinds: noidAlarmName, noidAlarmSeverity, noidHostname, noidAlarmClearing.

Backends SNMP monitoring from the load balancer #

On the other hand, SNMP is very useful in a load balancer point of view as it could be used to gather backends metrics and use them to change the scheduler behavior or to automate the activation and deactivation of backends. Refer to this link to get more information about how to use a custom farm guardian check with SNMP.

Further application delivery monitoring #

There are use cases where it’s needed to get specific monitoring values like the farms, backends or clustering statistics and states. To gather these specific values, please follow this article it can also be done through the REST api.

Further monitoring resources #

Refer to the articles about how to monitor RELIANOID Appliances with Nagios or Zabbix through the following links:

https://www.relianoid.com/knowledge-base/howtos/monitoring-relianoid-nagios/
https://www.relianoid.com/knowledge-base/howtos/monitoring-relianoid-zabbix/

Hope that you find this article useful and that it takes you to the next level of using SNMP to monitor RELIANOID Appliances!

References #

UCD-SNMP-MIB http://www.net-snmp.org/docs/mibs/UCD-SNMP-MIB.txt
SNMP protocol RFC: https://tools.ietf.org/html/rfc1157
SIM RFC: https://tools.ietf.org/html/rfc1065
net-snmp: http://www.net-snmp.org/wiki/
Debian wiki snmp: https://wiki.debian.org/SNMP
UCD-SNMP-MIB: http://www.net-snmp.org/docs/mibs/UCD-SNMP-MIB.txt

SHARE ON:

Powered by BetterDocs