SNMPv3. Problem with decryption traps. Enable a debug mode
Hi,
I've configured SNMP source to accept SNMPv3 traps.
Traps can not be decrypted and would like get why.
I enabled debug mode in Worker Settings for authentication, input snmp, etc.
But nothing appear in Logs tab when chosing an All Logs option.
Answers
-
Hi Pawel,
What SNMPv3 encryption algorithm and authentication are you sending Cribl Stream?
We currently support the following authentication protocols:
None
MD5
SHA
SHA224
SHA256
SHA384
SHA512
We currently support the following privacy algorithms:None
DES
AES
AES256b (Blumenthal)
AES2556r (Reeder)
0 -
Pawel- were you able to get this resolved? I'm having a similar issue.
I'm pushing SNMPv3 traps from a Cisco switch using SHA/AES-256 (Cisco native settings) authPriv to Cribl Stream. The SNMP Trap Source on Cribl shows the data reaching there (under "Status" I see "v3" and "Received" incrementing- see snmp_1.png), however no data is populating "Charts" or "Live Data" tabs- see snmp_2.png. I've tried to run a capture to no success.
Under the "Configure" settings for this SNMP Trap, I have the "Authentication" settings set to SHA and AES256r (When I tried AES or AES256b, I saw "Decryption Failures" in the "Status" tab increment.
So it appears the SNMP Trap source is acce
pting and decrypting the data correctly, but I'm not sure why I'm not seeing it in the "Charts" or "Live Data" tabs? Any help is appreciated.
0 -
@zak le , the problem is that there is no logs even when set a debug level, so the problem was not resolved.
But, yes, I've managed to decrypt traps after some upgrade the Cribl.
Please, ensure if you have the newest version or at least 4.3 and authentication methods, credentials are set propperly
0 -
@Pawel Kwiatkowski you can try setting log level to "Silly" temporarily. This will show you things like "number of SNMPv3 traps received", "number of v3 decryption failures", etc.
I believe my authentication and encryption settings are proper as i'm not getting any decryption failures. The logs show Cribl accepting SNMPv3 traps, it's just weird that the Charts don't show any throughput.
0 -
@zak le thx for a tip with the log level.
If authentication is ok then you should see decrypted traps in a live data tab.
Do you see them?
0 -
I got it to work now and am seeing Live Data/throughput. The issue was a line of code in my Cisco switch for an older SNMP config. It was sending conflicting traps to Cribl.
Thanks!
1