Configuring the SNMP Emitter (deprecated)

Note: Audit Manager is deprecated and provided for backward compatibility only. We recommend that you use syslog events instead. See Enterprise Server Auditing for more information.

SNMP installations are split into two parts: an SNMP Agent runs on the systems being managed, whilst a central Management Console or other Management Tool runs elsewhere to monitor and maintain the systems that are running the Agents. There may be more than one Agent on a given system, provided that they are all configured to avoid using the same UDP and/or TCP ports, and that the Management Tool is told which ports to use to contact the Agents.

Various specifications of SNMP exist. v1 is not widely used today. v2, and specifically v2c, is most common. Whilst v3 can be thought of as being v2c using encrypted data flows.

There are many Agent systems. These may be software used on various operating systems, or firmware operating within hardware devices such as network routers. Micro Focus does not supply any Agent software.

The SNMP Emitter for the Micro Focus Audit Manager supports multiple logical interfaces which in turn interface with specific Agent services. The following SNMP Agent interfaces are provided for use with Net Express.

Agent interface module Supplied with Supported SNMP version Description
mf_audit_win_snmp.dll All installations of Net Express and Server v2 and v2c This module supports installations of Microsoft's WinSNMP embedded SNMP service, which works with SNMP v2 and v2c.
mf_audit_net_snmp.dll All installations of Net Express and Server v2, v2c and v3 (with no authentication or encryption of data) This module supports installations of Net-SNMP v5.4 and upwards.
mf_audit_net_snmp.dll The optional Security Pack for Net Express and Server v2, v2c and v3 (with authentication and encryption of data) This module supports installations of Net-SNMP v5.4 and upwards.

To use any of these modules, make the appropriate entries in the configuration file used by the Micro Focus Audit Consolidator Process. For details of the configuration file, see The Audit Consolidator Process Configuration File. For details on starting the consolidator process and specifying the location of the configuration file, see To start an audit event consolidator.

For each of these modules, a sample configuration file is shipped. The files are mf_audit_net_snmp.cfg and mf_audit_win_snmp.cfg. These contain elements specific to each of the variants of Windows SNMP support, but they are not complete mfauditmgr configuration files. The contents of the relevant sample file, or files, must first be merged with the existing Audit Manager configuration file, and then the Audit Manager system service must be re-started before the changes will take effect.

Many configuration options are common to both agent installations, but there are some entries that are specifically for use with Net-SNMP: the WinSNMP agent only supports SNMP v1 and SNMP v2 Trap generation, whilst the Net-SNMP agent also supports SNMP v3. However, the only configuration element that changes between WinSNMP and Net-SNMP when using SNMP v2 Traps is the agent name item.

It is perfectly acceptable to switch between Agents by using a single configuration file and alternating the agent used between mf_audit_win_snmp and mf_audit_net_snmp then re-starting the mfauditmgr service. Any extra SNMP v3 parameters that may have been supplied for Net-SNMP will simply be ignored by the WinSNMP emitter. A v2 Trap will always be issued when WinSNMP is in use, regardless of the SNMP version configured.

However, to use v3 authentication you must have the mf_audit_net_snmp module supplied with the Security Pack. If you configure the use of authentication when using the mf_audit_net_snmp module with the base Net Express or Server product, the emitter will log an error message.

Here's an example of a configuration file which will trace Audit events to both SNMP and the standard AUDITFILE emitter. This configuration uses WinSNMP to send the SNMP Trap messages.

mfaudit.emitter.snmp                = snmpaudit
mfaudit.dest                             = auditfile,snmp

mfaudit.emitter.auditfile#collectionsize = 5
mfaudit.emitter.auditfile#location       = c:\logs
mfaudit.emitter.auditfile#maxfilesize    = 1

mfaudit.emitter.snmp#agent      = mf_audit_win_snmp
# location of the Trap receiver, the Management Console that will view the audit events
mfaudit.emitter.snmp#agent.hostname  = <target host name or IP address>
# use port 162, the IANA default port for UDP and TCP traps
mfaudit.emitter.snmp#agent.port  = 162
# default is to exclude the events 0,2,3,4,5,6, the example below excludes
# events with a category >9
mfaudit.emitter.snmp#agent.exclude.events=>9

# Mode of transport, either UDP or TCP
# The default is UDP. Although an option for v2 installations
# TCP is normally only used for SNMP v3 
# and is still only optional for v3
mfaudit.emitter.snmp#agent.transport = UDP

# the SNMP community of installations in which this system exists
# community default is "public" 
mfaudit.emitter.snmp#agent.community = public
 
# snmp_version can be either "2" or "3". If v3, extra parameters 
# are also required, see below.
# The default is "2"
mfaudit.emitter.snmp#agent.snmp_version = 2

The only change required to re-configure this audit manager installation to emit Audit events to SNMP using Net-SNMP instead of WinSNMP is shown below.

mfaudit.emitter.snmp#agent       = mf_audit_net_snmp

There are several extra parameters that are required in order to configure an SNMP v3 environment for the sending of encrypted audit messages. These are covered in Working with SNMP v3.