Specifying the location of management tools that will receive events
In the configuration file for the SNMP emitter, the agent.host and agent.port entries configure the snmp emitter to tell the Agent which of its configured management tools should receive the emitted Audit Events. For example:
mfaudit.emitter.snmp#agent.hostname = 127.0.0.1
WinSNMP cannot handle DNS (text) names and will only accept dotted decimal notation IP addresses like the one shown in the example above.
Net-SNMP can handle DNS or Dotted Decimal notation for the host location.
The Internet Assigned Names Authority (IANA) defines the standard ports to be used for SNMP traffic. Although it is entirely possible that specific installations may choose to use other ports, the following are the defined standard group of ports:
The SNMP Audit Emitter only uses the SNMPTRAP ports. If any installations require an override of the port definitions, follow the guidance below for configuring the SNMP agents on your installation, and modify the mfaudit.emitter.snmp#agent.port line in the configuration file. Failure to do both sets of configuration will lead to indeterminate results.
mfaudit.emitter.snmp#agent.port = 162
The transmission method is either UDP or TCP. UDP is widely used as it is fast and has few system overheads. UDP was also the only transmission method available in the early days of SNMP. TCP is slower but it can be used to transmit more than a single IP packet of information, and if audited events are being truncated the user should switch to using TCP. When changing a working system, remember that both the receiver and sender must share a similar configuration, so the changes must be made at both ends of the link.
To select UDP, set transport = UDP. For TCP, set transport = TCP. The default is to use UDP.
mfaudit.emitter.snmp#agent.transport = UDP
The SNMP Trap versions are set using the "snmp_version" configuration option. Acceptable values are either "2" or "3". The default snmpv value is "2".
If SNMP v3 is selected and you wish to use the authentication and privacy features, several extra parameters are also required and you must have the Net SNMP emitter module that is supplied with the Security Pack. See Working with SNMP v3 for more details.
mfaudit.emitter.snmp#agent.snmp_version= 2
The actual range of events that will be audited through this emitter can be masked using the agent.exclude.events option. For more details of this option, see the general Audit Manager documentation. The default behaviour is to exclude events below those at category 9.
mfaudit.emitter.snmp#agent.exclude.events=>9
All SNMP v2 and v3 installations operate within logical communities of installations. If no community name is specified all SNMP installations will use the default community name "public".
To specify the community of your local installations and, in particular, that of the receiver of the SNMP audit events, you will need to add a community option to your configuration file. This name must not be spacey in form.
mfaudit.emitter.snmp#agent.community = community_name