Skip to main content
Version: 2.10.1

SNMP Polling and Traps

SNMP Polling and Traps Service supports protocol version v2C and v3.

The service is enabled by default, and you can disable it if not needed. You need to configure this service by specifying:

  1. SNMP credentials
  2. The list of devices to be polled, including mapping to exporter IP in case you receive flow data from these devices
  3. Optionally add MIBs to build OID sets
  4. SNMP Trap ports and credentials
  5. SNMP Polling data defaults / overrides

The service has the following parameters:

ParameterDescription
T – SNMP expiration time in secsExpiration time of SNMP data held in cache, default is 86400 seconds (1day)
Enable(1) or disable(0) SNMP service1 - SNMP service enabled; 0 - SNMP service disabled
SNMP transport timeout in secTime to wait for SNMP reply from network devices to polling requests
SNMP CredentialsAuthentication credentials for SNMP polling
SNMP service watchlist: Exporter IP, Management IP, Port, Credentials IDThis list contains devices for SNMP polling, device group, and SNMP credentials. It could be entered via NFO GUI, uploaded from CSV file, or automatically updated by EDFN Agent from CSV file maintained externally. It also maps Exporter IP address to SNMP management IP address, in case correlation between flow data and SNMP data is required
SNMP service watchlist: MIB NameAllows you to upload SNMP MIBs. OIDs from these MIBs will be available for building SNMP OIDs sets in NFO Module: 10103: SNMP Custom OID Sets Monitor
SNMP Trap Inputs: Port, Credentials IDSNMP Port, SNMP Credentials ID. This port and credentials is used by devices when sending SNMP traps.

NOTE: For SNMPv3 make sure you specify Engine ID in Credentials

SNMP Credentials

Click on “> SNMP Credetials” to setup SNMP authentications, and press button. In popup screen select SNMPv2c or SNMPv3 and enter corresponding authentication information.

You can add unlimited number of Credential entries.

SNMP service watchlist: Exporter IP, Management IP, Port, Credentials ID, Group, Comment

Specify the mapping between Exporter IP and SNMP Management IP, SNMP polling port number, and the reference to Credential ID created in the previous step.

NFO Modules query this Service to get SNMP data.

10003: SNMP Information Monitor

When flow records are processed by NFO the Module queries this Service to get SNMP data, passing Exporter IP and Interface SNMP index as parameters. In its turn SNMP Service polls corresponding network device, using the Exporter IP/Management IP mapping, and caches this information, until it expires (Parameter: T - SNMP expiration time in secs).

For more information, see SNMP Information Monitor (10003 / 20003).

10103: SNMP Custom OID Sets Monitor

This Module enables you to create your own OIDs sets to report SNMP polling data.

Device group, introduced in NFO 2.8, allows you link OID sets specified in this Module with the Group the device assigned to. For more information, see SNMP Custom OID Sets Monitor (10103 / 20103).

10700: SNMP Traps Monitor

This Module reports SNMP Traps. For more information, see SNMP Traps Monitor (10700 / 20700).

Suspending SNMP Polling from Inactive Devices

If a device is not responding to SNMP polling, the poling for this device is suspended for a period of time.

This period of time is set by the environment variable: NFO_SNMP_INACTIVE_POLL_TIMEOUT (default is 3600 seconds).

While a device is suspended, SNMP service requests for this device are skipped and counted in the number of SNMP polling skipped requests on the Status page.

note

When device is placed on "skip polling" list, an event log for this action is recorded in the nfo_audit.log file, which can be found in the$NFO_HOME/logs directory.

Here is an example:

2023-09-28 14:31:21,317 [NOTICE] -1: service=SNMP threadId=1 description="Unresponsive device" node=10.1.2.5:161 requestType=arbitrary resultCode=-1
2023-09-28 15:31:27,223 [NOTICE] -1: service=SNMP threadId=1 description="Unresponsive device" node=10.1.2.5:161 requestType=table(bulk) resultCode=-1
2023-09-28 16:33:31,644 [NOTICE] -1: service=SNMP threadId=1 description="Unresponsive device" node=10.1.2.5:161 requestType=arbitrary resultCode=-1
2023-09-28 17:33:37,441 [NOTICE] -1: service=SNMP threadId=1 description="Unresponsive device" node=10.1.2.5:161 requestType=arbitrary resultCode=-1

You may forward these logs to your SIEM system for active monitoring and alerting.

If you installed Splunk Universal Forwarder on NFO machine, here is the inputs.conf example:

[monitor:/opt/flowintegrator/logs/nfo_audit.log]
disabled = 0
index = flowintegrator
sourcetype = flowintegrator
_meta = nfo_hostname::nfo-server

Where nfo-server is NFO machine hostname.

Other Environment Variables

The environment variables available for further tuning SNMP polling are described in the table below.

ParameterDescriptionComments
NFO_SNMP_REQ_QUEUE_LENSNMP requests (default and arbitrary) queue lengthdefault=1000 (min – 100, max – 100000)
NFO_SNMP_TRAP_QUEUE_LENSNMP traps queue lengthdefault=1000 (min – 100, max – 100000)
NFO_SNMP_GETBULK_DISABLEDisable GetBulk request for SNMPdefault=0 enable getbulk, 1 - disable getbulk
NFO_SNMP_GETBULK_REPEATERSSNMP max-repetitions count for GetBulk requestdefault=10 (min – 1, max – 100)
NFO_SNMP_MSG_MAX_SIZESNMP maximum message size (maxMsgSize)default=0 (0 means that NetSNMP default value is used, which is 1500) (min - 484, max – 65507)
NFO_SNMP_RETRIESSNMP retries countdefault= -1 (-1 means that NetSNMP default value is used, which is 5) (min - 0, max – 10)
NFO_SNMP_INACTIVE_POLL_TIMEOUTPeriod of time the poling for this device is suspended if device does not replydefault=3600 seconds
NFO_SNMP_THREAD_COUNTThe number of threads allocated for SNMP pollingDefault=1 (min - 1, max - 1024)
note

NFO server environment variables could be set here: Tracing and Configuration