Sending SNMP Traps to a Specific Host
By default, in JSA products, SNMP traps are sent
to the host that is identified in your host.conf file. You can customize the snmp.xml file to send SNMP traps to a different host.
- Use SSH to log in to JSA as the root user.
- Go to the
/opt/qradar/confdirectory and make backup copies of the following files:eventCRE.snmp.xmloffenseCRE.snmp.xml
- Open the configuration file for editing.
To edit the SNMP parameters for event rules, open the
eventCRE.snmp.xmlfile.To edit the SNMP parameters for offense rules, open the
offenseCRE.snmp.xmlfile.
- Add no more than one <trapConfig> element inside the <snmp> element inside
the <creSNMPTrap> element and before any other
child elements.
<trapConfig> <!-- All attribute values are default --> <snmpHost snmpVersion="3" port="162" retries="2" timeout="500">HOST </snmpHost> <!-- Community String for Version 2 --> <communityString>COMMUNITY_STRING</communityString> <!-- authenticationProtocol (MD5 or SHA)securityLevel (AUTH_PRIV, AUTH_NOPRIV or NOAUTH_PRIV) --> <authentication authenticationProtocol="MD5"securityLevel="AUTH_PRIV"> AUTH_PASSWORD </authentication> <!-- decryptionProtocol (DES, AES128, AES192 or AES256) --> <decryption decryptionProtocol="AES256"> DECRYPTIONPASSWORD </decryption> <!-- SNMP USER--> <user> SNMP_USER </user> </trapConfig>
- Use the following table to help you update the attributes.
Table 1: Attribute Values to Update in the <trapConfig> Element
Element
Description
</snmpHost>The new host to which you want to send SNMP traps.
The value for the
snmpVersionattribute for<snmpHost>element must be 2 or 3.<communityString>The community string for the host
<authentication>An authentication protocol, security level, and password for the host.
<decryption>The decryption protocol and password for the host.
<user>SNMP user
- Save and close the file.
- Copy the file from the
/opt/qradar/confdirectory to the/store/ configservices/staging/globalconfigdirectory. - Log in to the JSA as an administrator.
- On the navigation menu (
), click Admin. - Select Advanced >Deploy Full Configuration.
Note JSA continues to collect events when you deploy the full configuration. When the event collection service must restart, JSA does not restart it automatically. A message displays that gives you the option to cancel the deployment and restart the service at a more convenient time.