Kaspersky Unified Monitoring and Analysis Platform
[2.0.1] Connector, snmp-trap type

Connectors of the snmp-trap type are used for passively receiving events using SNMP traps when working with Windows and Linux agents. The connector receives snmp-trap events and prepares them for normalization by mapping SNMP object IDs to temporary keys. Then the message is passed to the JSON normalizer, where the temporary keys are mapped to the KUMA fields and an event is generated. To process events received over SNMP, you must use the json normalizer. Supported SNMP protocol versions:

  • snmpV1
  • snmpV2

Settings for a connector of the snmp-trap type are described in the following tables.

Basic settings tab

Setting

Description

Name

Unique name of the resource. The maximum length of the name is 128 Unicode characters.

Required setting.

Tenant

The name of the tenant that owns the resource.

Required setting.

Type

Connector type: snmp-trap.

Required setting.

Description

Description of the resource. The maximum length of the description is 4000 Unicode characters.

SNMP resource

Connection settings for receiving snmp-trap events:

  • SNMP version is the version of the SNMP protocol being used:
    • snmpV1
    • snmpV2

    For example, Windows uses the snmpV2 version of the SNMP protocol by default.

    Required setting.

  • URL is the URL for receiving SNMP trap events. You can enter a URL in one of the following formats:
    • <host name>:<port number>
    • <IPv4 address>:<port number>
    • <IPv6 address>:<port number>
    • :<port number>

    Required setting.

You can add multiple connections or delete a connection. To add a connection, click the + SNMP resource button. To remove a SNMP resource, click the delete cross-black icon next to it.

Settings

Rules for naming the received data, according to which OIDs (object identifiers) are converted to the keys with which the normalizer can interact. Available settings:

  • Parameter name is the name for the data type, for example, Host name or Host uptime.

    Required setting.

  • OID is a unique identifier that determines where to look for the required data at the event source, for example, 1.3.6.1.2.1.1.5.

    Required setting.

  • Key is a unique identifier returned in response to a request to the device with the value of the requested parameter, for example, sysName. You can reference the key when normalizing data.

    Required setting.

  • If the MAC address check box is selected, KUMA correctly decodes data where the OID contains information about the MAC address in OctetString format. After decoding, the MAC address is converted to a String value of the XX:XX:XX:XX:XX:XX format.

You can do the following with rules:

  • Add multiple rules. To add a rule, click the + Add button.
  • Delete rules. To delete a rule, select the check box next to it and click Delete.
  • Clear rule settings. To do so, click the Clear all values button.
  • Populate the table with mappings for OID values received in WinEventLog logs. To do this, click the Apply OIDs for WinEventLog button.

    If more data needs to be determined and normalized in the incoming events, add to the table rows containing OID objects and their keys.

    Data is processed according to the allow list principle: objects that are not specified in the table are not sent to the normalizer for further processing.

Advanced settings tab

Setting

Description

Debug

The switch enables resource logging. The toggle switch is turned off by default.

Character encoding

Character encoding. The default is UTF-8.

When receiving snmp-trap events from Windows with Russian localization, if you encounter invalid characters in the event, we recommend changing the character encoding in the snmp-trap connector to Windows 1251.

In this section

Configuring the source of SNMP trap messages for Windows