Kaspersky Next XDR Expert

Connector, snmp-trap type
- Configuring the source of SNMP trap messages for Windows
  - Configuring and starting the SNMP and SNMP trap services
  - Configuring the Event to Trap Translator service

Connector, snmp-trap type

Connectors of the snmp-trap typeUsed for passively receiving events using SNMP traps when working with Windows and Linux agents. The connector receives snmp-trap events and prepares them for normalization by mapping SNMP object IDs to temporary keys. Then the message is passed to the JSON normalizer, where the temporary keys are mapped to the KUMA fields and an event is generated. To process events received over SNMP, you must use the json normalizer. Supported SNMP versions:

snmpV1
snmpV2

Settings for a connector of the snmp-trap type are described in the following tables.

Basic settings tab

Setting	Description
Name	Unique name of the resource. The maximum length of the name is 128 Unicode characters. Required setting.
Tenant	The name of the tenant that owns the resource. Required setting.
Type	Connector type: snmp-trap. Required setting.
Tags	Tags for resource search. Optional setting.
Description	Description of the resource. The maximum length of the description is 4000 Unicode characters.
SNMP resource	Connection settings for receiving snmp-trap events: SNMP version is the version of the SNMP protocol being used: snmpV1 snmpV2 For example, Windows uses the snmpV2 version of the SNMP protocol by default. Required setting. URL is the URL for receiveing SNMP trap events. You can enter a URL in one of the following formats: `<host name>:<port number>` `<IPv4 address>:<port number>` `<IPv6 address>:<port number>` `:<port number>` Required setting. You can add multiple connections or delete a connection. To add a connection, click the + SNMP resource button. To remove a SNMP resource, click the delete icon next to it.
Settings	Rules for naming the received data, according to which OIDs (object identifiers) are converted to the keys with which the normalizer can interact. Available settings: Parameter name is the name for the data type, for example, `Host name` or `Host uptime`. Required setting. OID is a unique identifier that determines where to look for the required data at the event source, for example, `1.3.6.1.2.1.1.5`. Required setting. Key is a unique identifier returned in response to a request to the device with the value of the requested parameter, for example, `sysName`. You can reference the key when normalizing data. Required setting. If the MAC address check box is selected, KUMA correctly decodes data where the OID contains information about the MAC address in OctetString format. After decoding, the MAC address is converted to a String value of the XX:XX:XX:XX:XX:XX format. You can do the following with rules: Add multiple rules. To add a rule, click the +Add button. Delete rules. To delete a rule, select the check box next to it and click Delete. Clear rule settings. To do so, click the Clear all values button. Populate the table with mappings for OID values received in WinEventLog logs. To do this, click the Apply OIDs for WinEventLog button. If more data needs to be determined and normalized in the incoming events, add to the table rows containing OID objects and their keys. Data is processed according to the allow list principle: objects that are not specified in the table are not sent to the normalizer for further processing.

Advanced settings tab

Setting	Description
Debug	Ths switch enables resource logging. The toggle switch is turned off by default.
Character encoding	Character encoding. The default is UTF-8. When receiving snmp-trap events from Windows with Russian localization, if you encounter invalid characters in the event, we recommend changing the character encoding in the snmp-trap connector to Windows 1251.

Setting

Description

Debug

Ths switch enables resource logging. The toggle switch is turned off by default.

Character encoding

Character encoding. The default is UTF-8.

When receiving snmp-trap events from Windows with Russian localization, if you encounter invalid characters in the event, we recommend changing the character encoding in the snmp-trap connector to Windows 1251.

In this section

Configuring the source of SNMP trap messages for Windows

Page top

Configuring the source of SNMP trap messages for Windows

Configuring a Windows device to send SNMP trap messages to the KUMA collector proceeds in stages:

Configuring and starting the SNMP and SNMP trap services
Configuring the Event to Trap Translator service

Events from the source of SNMP trap messages must be received by the KUMA collector, which uses a connector of the snmp-trap type and a json normalizer.

In this section

Configuring and starting the SNMP and SNMP trap services

Configuring the Event to Trap Translator service

Page top

Configuring and starting the SNMP and SNMP trap services

To configure and start the SNMP and SNMP trap services in Windows 10:

Open Settings → Apps → Apps and features → Optional features → Add feature → Simple Network Management Protocol (SNMP) and click Install.
Wait for the installation to complete and restart your computer.
Make sure that the SNMP service is running. If any of the following services are not running, enable them:
- Services → SNMP Service.
- Services → SNMP Trap.
Right-click Services → SNMP Service, and in the context menu select Properties. Specify the following settings:
- On the Log On tab, select the Local System account check box.
- On the Agent tab, fill in the Contact (for example, specify User-win10) and Location (for example, specify detroit) fields.
- On the Traps tab:
  - In the Community Name field, enter community public and click Add to list.
  - In the Trap destination field, click Add, specify the IP address or host of the KUMA server on which the collector that waits for SNMP events is deployed, and click Add.
- On the Security tab:
  - Select the Send authentication trap check box.
  - In the Accepted community names table, click Add, enter Community Name public and specify READ WRITE as the Community rights.
  - Select the Accept SNMP packets from any hosts check box.
Click Apply and confirm your selection.
Right click Services → SNMP Service and select Restart.

To configure and start the SNMP and SNMP trap services in Windows XP:

Open Start → Control Panel → Add or Remove Programs → Add / Remove Windows Components → Management and Monitoring Tools → Details.
Select Simple Network Management Protocol and WMI SNMP Provider, and then click OK → Next.
Wait for the installation to complete and restart your computer.
Make sure that the SNMP service is running. If any of the following services are not running, enable them by setting the Startup type to Automatic:
- Services → SNMP Service.
- Services → SNMP Trap.
Right-click Services → SNMP Service, and in the context menu select Properties. Specify the following settings:
- On the Log On tab, select the Local System account check box.
- On the Agent tab, fill in the Contact (for example, specify User-win10) and Location (for example, specify detroit) fields.
- On the Traps tab:
  - In the Community Name field, enter community public and click Add to list.
  - In the Trap destination field, click Add, specify the IP address or host of the KUMA server on which the collector that waits for SNMP events is deployed, and click Add.
- On the Security tab:
  - Select the Send authentication trap check box.
  - In the Accepted community names table, click Add, enter Community Name public and specify READ WRITE as the Community rights.
  - Select the Accept SNMP packets from any hosts check box.
Click Apply and confirm your selection.
Right click Services → SNMP Service and select Restart.

Changing the port for the SNMP trap service

You can change the SNMP trap service port if necessary.

To change the port of the SNMP trap service:

Open the C:\Windows\System32\drivers\etc folder.
Open the services file in Notepad as an administrator.
In the service name section of the file, specify the snmp-trap connector port added to the KUMA collector for the SNMP trap service.
Save the file.
Open the Control Panel and select Administrative Tools → Services.
Right-click SNMP Service and select Restart.

Page top

Configuring the Event to Trap Translator service

To configure the Event to Trap Translator service that translates Windows events to SNMP trap messages:

In the command line, type evntwin and press Enter.
Under Configuration type, select Custom, and click the Edit button.
In the Event sources group of settings, use the Add button to find and add the events that you want to send to KUMA collector with the SNMP trap connector installed.
Click the Settings button, in the opened window, select the Don't apply throttle check box, and click OK.
Click Apply and confirm your selection.

Page top

Contents

Connector, snmp-trap type