Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Customizing the SNMP Trap Output

 

JSA uses SNMP to send traps that provide information when rule conditions are met.

By default, JSA uses the JSA management information base (MIB) to manage the devices in the communications network. However, you can customize the output of the SNMP traps to adhere to another MIB.

  1. Use SSH to log in to JSA as the root user.
  2. Go to the /opt/qradar/conf directory and make backup copies of the following files:
    • eventCRE.snmp.xml

    • offenseCRE.snmp.xml

  3. Open the configuration file for editing.
    • To edit the SNMP parameters for event rules, open the eventCRE.snmp.xml file.

    • To edit the SNMP parameters for offense rules, open the offenseCRE.snmp.xml file.

  4. To change the trap that is used for SNMP trap notification, update the following text with the appropriate trap object identifier (OID):
  5. Use the following table to help you update the variable binding information:

    Each variable binding associates a particular MIB object instance with its current value.

    Table 1: Value Types for Variable Binding

    Value type

    Description

    Example

    string

    Alphanumeric characters

    You can configure multiple values.

     

    integer32

    A numerical value

    name="ATTACKER_PORT" 
    type="integer32">%ATTACKER_PORT%

    oid

    Each SNMP trap carries an identifier that is assigned to an object within the MIB

    OID="1.3.6.1.4.1.20212.2.46"

    gauge32

    A numerical value range

     

    counter64

    A numerical value that increments within a defined minimum and maximum range

     
  6. For each of the value types, include any of the following fields:

    Table 2: Fields for the Variable Bindings

    Field

    Description

    Example

    Native

    For more information about these fields, see the /opt/qradar/conf/snmp.help file.

     

    Custom

    Custom SNMP trap information that you configured for the custom rules wizard

     

    1Surround the field name with percentage (%) signs. Within the percentage signs, fields must match the value type.

  7. Save and close the file.
  8. Copy the file from the /opt/qradar/conf directory to the /store/configservices/staging/globalconfig directory.
  9. Log in to the JSA interface.
  10. On the navigation menu (), click Admin to open the admin tab.
  11. Select Advanced >Deploy Full Configuration.Note

    JSA continues to collect events when you deploy the full configuration. When the event collection service must restart, JSA does not restart it automatically. A message displays that gives you the option to cancel the deployment and restart the service at a more convenient time.