We have updated our Terms of Service, Code of Conduct, and Addendum.

SNMPv3. Problem with decryption traps. Enable a debug mode

Hi,

I've configured SNMP source to accept SNMPv3 traps.

Traps can not be decrypted and would like get why.

I enabled debug mode in Worker Settings for authentication, input snmp, etc.

But nothing appear in Logs tab when chosing an All Logs option.

Tagged:

Answers

  • Eric Reusche
    Eric Reusche Posts: 40 ✭✭
    edited December 2023

    Hi Pawel,

    What SNMPv3 encryption algorithm and authentication are you sending Cribl Stream?

    We currently support the following authentication protocols:

    • None
    • MD5
    • SHA
    • SHA224
    • SHA256
    • SHA384
    • SHA512

      We currently support the following privacy algorithms:
    • None
    • DES
    • AES
    • AES256b (Blumenthal)
    • AES2556r (Reeder)

    https://docs.cribl.io/stream/sources-snmp-traps/#auth

  • zak le
    zak le Posts: 3
    edited April 9

    Pawel- were you able to get this resolved? I'm having a similar issue.

    I'm pushing SNMPv3 traps from a Cisco switch using SHA/AES-256 (Cisco native settings) authPriv to Cribl Stream. The SNMP Trap Source on Cribl shows the data reaching there (under "Status" I see "v3" and "Received" incrementing- see snmp_1.png), however no data is populating "Charts" or "Live Data" tabs- see snmp_2.png. I've tried to run a capture to no success.

    Under the "Configure" settings for this SNMP Trap, I have the "Authentication" settings set to SHA and AES256r (When I tried AES or AES256b, I saw "Decryption Failures" in the "Status" tab increment.

    So it appears the SNMP Trap source is acce

    pting and decrypting the data correctly, but I'm not sure why I'm not seeing it in the "Charts" or "Live Data" tabs? Any help is appreciated.

  • Pawel Kwiatkowski
    Pawel Kwiatkowski Posts: 25

    @zak le , the problem is that there is no logs even when set a debug level, so the problem was not resolved.

    But, yes, I've managed to decrypt traps after some upgrade the Cribl.

    Please, ensure if you have the newest version or at least 4.3 and authentication methods, credentials are set propperly

  • zak le
    zak le Posts: 3

    @Pawel Kwiatkowski you can try setting log level to "Silly" temporarily. This will show you things like "number of SNMPv3 traps received", "number of v3 decryption failures", etc.

    I believe my authentication and encryption settings are proper as i'm not getting any decryption failures. The logs show Cribl accepting SNMPv3 traps, it's just weird that the Charts don't show any throughput.

  • Pawel Kwiatkowski
    Pawel Kwiatkowski Posts: 25

    @zak le thx for a tip with the log level.

    If authentication is ok then you should see decrypted traps in a live data tab.

    Do you see them?

  • zak le
    zak le Posts: 3

    I got it to work now and am seeing Live Data/throughput. The issue was a line of code in my Cisco switch for an older SNMP config. It was sending conflicting traps to Cribl.

    Thanks!