|
| 1 | +--- |
| 2 | +title: Collect SNMP trap data with Azure Monitor Agent |
| 3 | +description: Learn how to collect SNMP trap data and send the data to Azure Monitor Logs using Azure Monitor Agent. |
| 4 | +ms.topic: how-to |
| 5 | +ms.date: 06/22/2022 |
| 6 | +ms.reviewer: shseth |
| 7 | + |
| 8 | +--- |
| 9 | + |
| 10 | +# Collect SNMP trap data with Azure Monitor Agent |
| 11 | + |
| 12 | +Simple Network Management Protocol (SNMP) is a widely-deployed management protocol for monitoring and configuring Linux devices and appliances. |
| 13 | + |
| 14 | +You can collect SNMP data in two ways: |
| 15 | + |
| 16 | +- **Polls** - The managing system polls an SNMP agent to gather values for specific properties. |
| 17 | +- **Traps** - An SNMP agent forwards events or notifications to a managing system. |
| 18 | + |
| 19 | +Traps are most often used as event notifications, while polls are more appropriate for stateful health detection and collecting performance metrics. |
| 20 | + |
| 21 | +You can use Azure Monitor Agent to collect SNMP traps as syslog events or as events logged in a text file. |
| 22 | + |
| 23 | +In this tutorial, you learn how to: |
| 24 | + |
| 25 | +> [!div class="checklist"] |
| 26 | +> * Set up the trap receiver log options and format |
| 27 | +> * Configure the trap receiver to send traps to syslog or text file |
| 28 | +> * Collect SNMP traps using Azure Monitor Agent |
| 29 | +
|
| 30 | +## Prerequisites |
| 31 | + |
| 32 | +To complete this tutorial, you need: |
| 33 | + |
| 34 | +- A Log Analytics workspace where you have at least [contributor rights](../logs/manage-access.md#azure-rbac). |
| 35 | + |
| 36 | +- Management Information Base (MIB) files for the devices you are monitoring. |
| 37 | + |
| 38 | + SNMP identifies monitored properties using Object Identifier (OID) values, which are defined and described in vendor-provided MIB files. |
| 39 | + |
| 40 | + The device vendor typically provides MIB files. If you don't have the MIB files, you can find the files for many vendors on third-party websites. |
| 41 | + |
| 42 | + Place all MIB files for each device that sends SNMP traps in `/usr/share/snmp/mibs`, the default directory for MIB files. This enables logging SNMP trap fields with meaningful names instead of OIDs. |
| 43 | + |
| 44 | + Some vendors maintain a single MIB for all devices, while others have hundreds of MIB files. To load an MIB file correctly, snmptrapd must load all dependent MIBs. Be sure to check the snmptrapd log file after loading MIBs to ensure that there are no missing dependencies in parsing your MIB files. |
| 45 | + |
| 46 | +- A Linux server with an SNMP trap receiver. |
| 47 | + |
| 48 | + In this article, we use **snmptrapd**, an SNMP trap receiver from the [Net-SNMP](https://www.net-snmp.org/) agent, which most Linux distributions provide. However, there are many other SNMP trap receiver services you can use. |
| 49 | + |
| 50 | + The snmptrapd configuration procedure may vary between Linux distributions. For more information on snmptrapd configuration, including guidance on configuring for SNMP v3 authentication, see the [Net-SNMP documentation](https://www.net-snmp.org/docs/man/snmptrapd.conf.html). |
| 51 | + |
| 52 | + It's important that the SNMP trap receiver you use can load MIB files for your environment, so that the properties in the SNMP trap message have meaningful names instead of OIDs. |
| 53 | + |
| 54 | +## Set up the trap receiver log options and format |
| 55 | + |
| 56 | +To set up the snmptrapd trap receiver on a CentOS 7, Red Hat Enterprise Linux 7, Oracle Linux 7 server: |
| 57 | + |
| 58 | +1. Install and enable snmptrapd: |
| 59 | + |
| 60 | + ```bash |
| 61 | + #Install the SNMP agent |
| 62 | + sudo yum install net-snmp |
| 63 | + #Enable the service |
| 64 | + sudo systemctl enable snmptrapd |
| 65 | + #Allow UDP 162 through the firewall |
| 66 | + sudo firewall-cmd --zone=public --add-port=162/udp --permanent |
| 67 | + ``` |
| 68 | + |
| 69 | +1. Authorize community strings (SNMP v1 and v2 authentication strings) and define the format for the traps written to the log file: |
| 70 | + |
| 71 | + 1. Open `snmptrapd.conf`: |
| 72 | + |
| 73 | + ```bash |
| 74 | + sudo vi /etc/snmp/snmptrapd.conf |
| 75 | + ``` |
| 76 | + |
| 77 | + 1. Add these lines to your `snmptrapd.conf` file: |
| 78 | + |
| 79 | + ```bash |
| 80 | + # Allow all traps for all OIDs, from all sources, with a community string of public |
| 81 | + authCommunity log,execute,net public |
| 82 | + # Format logs for collection by Azure Monitor Agent |
| 83 | + format2 snmptrap %a %B %y/%m/%l %h:%j:%k %N %W %q %T %W %v \n |
| 84 | + ``` |
| 85 | + |
| 86 | + > [!NOTE] |
| 87 | + > snmptrapd logs both traps and daemon messages - for example, service stop and start - to the same log file. In the example above, we’ve defined the log format to start with the word “snmptrap” to make it easy to filter snmptraps from the log later on. |
| 88 | +## Configure the trap receiver to send trap data to syslog or text file |
| 89 | + |
| 90 | +There are two ways snmptrapd can send SNMP traps to Azure Monitor Agent: |
| 91 | + |
| 92 | +- Forward incoming traps to syslog, which you can set as the data source for Azure Monitor Agent. |
| 93 | + |
| 94 | +- Write the syslog messages to a file, which Azure Monitor Agent can *tail* and parse. This option allows you to send the SNMP traps as a new datatype rather than sending as syslog events. |
| 95 | + |
| 96 | +To edit the output behavior configuration of snmptrapd: |
| 97 | + |
| 98 | +1. Open the `/etc/snmp/snmptrapd.conf` file: |
| 99 | + |
| 100 | + ```bash |
| 101 | + sudo vi /etc/sysconfig/snmptrapd |
| 102 | + ``` |
| 103 | + |
| 104 | +1. Configure the output destination. |
| 105 | + |
| 106 | + Here's an example configuration: |
| 107 | +
|
| 108 | + ```bash |
| 109 | + # snmptrapd command line options |
| 110 | + # '-f' is implicitly added by snmptrapd systemd unit file |
| 111 | + # OPTIONS="-Lsd" |
| 112 | + OPTIONS="-m ALL -Ls2 -Lf /var/log/snmptrapd" |
| 113 | + ``` |
| 114 | + |
| 115 | + The options in this example configuration are: |
| 116 | + |
| 117 | + - `-m ALL` - Load all MIB files in the default directory. |
| 118 | + - `-Ls2` - Output traps to syslog, to the Local2 facility. |
| 119 | + - `-Lf /var/log/snmptrapd` - Log traps to the `/var/log/snmptrapd` file. |
| 120 | + |
| 121 | +> [!NOTE] |
| 122 | +> See Net-SNMP documentation for more information about [how to set output options](https://www.net-snmp.org/docs/man/snmpcmd.html) and [how to set formatting options](https://www.net-snmp.org/docs/man/snmptrapd.html). |
| 123 | + |
| 124 | +## Collect SNMP traps using Azure Monitor Agent |
| 125 | +
|
| 126 | +If you configured snmptrapd to send events to syslog, follow the steps described in [Collect events and performance counters with Azure Monitor Agent](../agents/data-collection-rule-azure-monitor-agent.md). Make sure to select **Linux syslog** as the data source when you define the data collection rule for Azure Monitor Agent. |
| 127 | +
|
| 128 | +If you configured snmptrapd to write events to a file, follow the steps described in [Collect text and IIS logs with Azure Monitor agent](../agents/data-collection-text-log.md). |
| 129 | +
|
| 130 | +## Next steps |
| 131 | +
|
| 132 | +Learn more about: |
| 133 | +
|
| 134 | +- [Azure Monitor Agent](azure-monitor-agent-overview.md). |
| 135 | +- [Data collection rules](../essentials/data-collection-rule-overview.md). |
| 136 | +- [Best practices for cost management in Azure Monitor](../best-practices-cost.md). |
0 commit comments