Sending SNMP Traps to a Specific Host
By default, in JSA products, SNMP traps are sent to the host that is identified in your host.conf file. You can customize the snmp.xml file to send SNMP traps to a different host.
SNMPv3 rule responses are sent out as SNMP informs and not traps.
- Use SSH to log in to JSA as the root user.
- Go to the /opt/qradar/conf directory and make backup copies of the following files:
eventCRE.snmp.xml
offenseCRE.snmp.xml
- Open the configuration file for editing.
To edit the SNMP parameters for event rules, open the eventCRE.snmp.xml file.
To edit the SNMP parameters for offense rules, open the offenseCRE.snmp.xml file.
- Add no more than one <trapConfig> element inside the <snmp> element inside
the <creSNMPTrap> element and before any other
child elements.
<trapConfig> <!-- All attribute values are default --> <snmpHost snmpVersion="3" port="162" retries="2" timeout="500">HOST </snmpHost> <!-- Community String for Version 2 --> <communityString>COMMUNITY_STRING</communityString> <!-- authenticationProtocol (MD5 or SHA)securityLevel (AUTH_PRIV, AUTH_NOPRIV or NOAUTH_PRIV) --> <authentication authenticationProtocol="MD5"securityLevel="AUTH_PRIV"> AUTH_PASSWORD </authentication> <!-- decryptionProtocol (DES, AES128, AES192 or AES256) --> <decryption decryptionProtocol="AES256"> DECRYPTIONPASSWORD </decryption> <!-- SNMP USER--> <user> SNMP_USER </user> </trapConfig>
- Use the following table to help you update the attributes.
Table 1: Attribute Values to Update in the <trapConfig> Element Element
Description
</snmpHost>The new host to which you want to send SNMP traps.
The value for the
snmpVersionattribute for<snmpHost>element must be 2 or 3.<communityString>The community string for the host. Do not use special characters.
<authentication>An authentication protocol, security level, and password for the host.
<decryption>The decryption protocol and password for the host.
<user>SNMP user
- Save and close the file.
- Copy the file from the /opt/qradar/conf directory to the /store/ configservices/staging/globalconfig directory.
- Log in to the JSA as an administrator.
- On the navigation menu (
), click Admin. - Select Advanced >Deploy Full Configuration.Note:
JSA continues to collect events when you deploy the full configuration. When the event collection service must restart, JSA does not restart it automatically. A message displays that gives you the option to cancel the deployment and restart the service at a more convenient time.