SNMPTRAP not detecting remote activities

Marcio_Rubens · May 10, 2024, 6:51pm

SNMPTRAP is only working when I execute the command in the instance where the telegraph is located.

Config:

[[inputs.snmp_trap]]
service_address = "udp://:162"
## Path to mib files
path = ["/usr/share/snmp/mibs"]
## Snmp version
version = "3"
sec_name = "telegraf_trap"
auth_protocol = "MD5"
auth_password = "123$42256"
sec_level = "authNoPriv"

Test:

[root@hci-mtl2-collector01 telegraf]# telegraf --config /root/snmp_trap.conf --test-wait 600
2024-05-10T18:39:29Z I! Loading config: /root/snmp_trap.conf
2024-05-10T18:39:29Z W! DeprecationWarning: Option “timeout” of plugin “inputs.snmp_trap” deprecated since version 1.20.0 and will be removed in 2.0.0: unused option
2024-05-10T18:39:29Z I! Starting Telegraf 1.28.5 brought to you by InfluxData the makers of InfluxDB
2024-05-10T18:39:29Z I! Available plugins: 240 inputs, 9 aggregators, 29 processors, 24 parsers, 59 outputs, 5 secret-stores
2024-05-10T18:39:29Z I! Loaded inputs: snmp_trap
2024-05-10T18:39:29Z I! Loaded aggregators:
2024-05-10T18:39:29Z I! Loaded processors:
2024-05-10T18:39:29Z I! Loaded secretstores:
2024-05-10T18:39:29Z W! Outputs are not used in testing mode!
2024-05-10T18:39:29Z I! Tags enabled: host=hci-mtl2-collector01
2024-05-10T18:39:29Z W! Deprecated inputs: 0 and 1 options
2024-05-10T18:39:29Z I! [inputs.snmp_trap] Listening on udp://:162

Command:

snmptrap -v3 -l authnoPriv -u telegraf_trap -A '123$42256' -a MD5 -n "" udp:172.27.0.52:162 '' 1.3.6.1.4.1.1234.1 1.3.6.1.4.1.1234.1.1 s "test trap"

tcpdump:
[root@hci-mtl2-collector01 telegraf.d]# tcpdump -vvvv -i eth0 udp port 162
dropped privs to tcpdump
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
14:44:31.209020 IP (tos 0x0, ttl 63, id 44599, offset 0, flags [DF], proto UDP (17), length 218)
172.27.2.91.40400 > hci-mtl2-collector01.snmptrap: [udp sum ok] { SNMPv3 { F=a } { USM B=1 T=0 U=“telegraf_trap” } { ScopedPDU E=_80_00_1f_88_80_31_3c_17_6d_0f_6b_3e_66_00_00_00_00 C=“” { V2Trap(80) R=2128788058 system.sysUpTime.0=734344033 S:1.1.4.1.0=E:1234.1 E:1234.1.1=“test trap” } } }

No information is received by the snmp trap.
below a local test.
Test running on the server where telegraf is located:

Result:

> snmp_trap,engine_id=80001f88808f0d391f85223d6600000000,host=hci-mtl2-collector01,mib=SNMPv2-SMI,name=enterprises.1234.1,oid=.1.3.6.1.4.1.1234.1,source=172.27.0.52,version=3 enterprises.1234.1.1="test trap",sysUpTimeInstance=2870519942i 1715366897175785967

Anaisdg · May 10, 2024, 7:11pm

Hello @Marcio_Rubens,
Welcome! Out of curiosity what are you using InfluxDB for? I love to learn about user’s projects. Thanks

Hmm odd how the SNMP trap is configured correctly and running locally and not remotely.
Can you check the following?

Firewall: Verify that there are no firewalls blocking UDP port 162 between the source of the SNMP trap and the server running Telegraf
Listening IP address: Ensure no other servies are running on that port.
Telegraf logs: In telegraf config can you set debug=true?

What system are you running on?
Also can you modify your tcpdump command to filter less verbosely to see if the packets are arriving at all from remote hosts?

Marcio_Rubens · May 17, 2024, 1:48pm

Hello @Anaisdg

I don’t use InfluxDB.
I use Telegraf and OpenTSDB.

I’m using Rocky 8.

I checked the firewall and there is no blocking and I activated debug, but there was no information in the log regarding the trap.

[root@hci-mtl2-collector01 telegraf.d]# tcpdump -i eth0 udp port 162
dropped privs to tcpdump
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
08:59:55.225777 IP 172.27.2.91.39792 > hci-mtl2-collector01.snmptrap: F=a U=“telegraf_trap” E=_80_00_1f_88_80_86_5f_c8_05_f3_67_3e_66_00_00_00_00 C=“” V2Trap(80) system.sysUpTime.0=792756435 S:1.1.4.1.0=E:1234.1 E:1234.1.1=“test trap”

[root@hci-mtl2-collector01 ~]# netstat -na |grep 162
udp 0 0 172.27.0.52:162 0.0.0.0:*
[root@hci-mtl2-collector01 ~]#

Result when I run it on the telegraf host
[root@hci-mtl2-collector01 ~]# tcpdump -i lo udp port 162
dropped privs to tcpdump
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on lo, link-type EN10MB (Ethernet), capture size 262144 bytes
09:43:24.108460 IP hci-mtl2-collector01.33668 > hci-mtl2-collector01.snmptrap: F=a U=“telegraf_trap” E=_80_00_1f_88_80_8f_0d_39_1f_85_22_3d_66_00_00_00_00 C=“” V2Trap(81) system.sysUpTime.0=2929170638 S:1.1.4.1.0=E:1234.1 E:1234.1.1=“test trap”
09:44:40.592104 IP hci-mtl2-collector01.42167 > hci-mtl2-collector01.snmptrap: F=a U=“telegraf_trap” E=_80_00_1f_88_80_8f_0d_39_1f_85_22_3d_66_00_00_00_00 C=“” V2Trap(81)
system.sysUpTime.0=2929178286 S:1.1.4.1.0=E:1234.1 E:1234.1.1=“test trap”

Apparently it is only listening on the loopback interface.

Any tips?

Topic		Replies	Views
SNMP reply does not reach telegraf Telegraf telegraf	0	586	April 22, 2021
SNMP_TRAP Setup Telegraf telegraf	6	3558	January 29, 2021
SNMP Telegraf does not collect data	4	1277	August 21, 2020
Telegraf v1.22.0 , translating traps with netsnmp not working Telegraf	3	972	April 14, 2022
Telegraf 1.20.4 some SNMP traps failing whilst no issues with 1.18 Telegraf telegraf , smnp	16	1514	May 20, 2022

SNMPTRAP not detecting remote activities

Related topics