Information Guide: Monitoring events using SNMP

Version 17

    DOC-6353

     

     

    Customers and Partners can log in to view:

    Where can I find MIB files to monitor FireEye appliances?

    Best Practice Guide: Monitoring FireEye Appliance Health with SNMP

     

    Introduction

     

    While it's possible to set up email notifications directly from an appliance, many admins prefer to use a monitoring tool. There are two options for monitoring system events using SNMP:

    • Poll--the SNMP queries or pulls information from an appliance
    • Trap--the appliance pushes event information to the SNMP server

     

    Both options are described in detail in each appliance's administration guide. This article provides a brief summary for reference.

     

    SNMP Basics

     

    TermDefinition/Insight
    SNMP Community

    In SNMPv2, the "snmp community" is similar to a password. Make sure you change the <community> string with the correct SNMP community used for both snmp polling and SNMP traps.

     

    In SNMPv3, the "snmp community" is replaced with a username, auth hash algorithm, auth password and an optional priv password.

    MNSNetwork Management System
    <NMS IP>

    Network Management System IP:

    The IP address of the monitoring server getting the traps; it is not required if you are only polling the info off the device.

    PollingThe SNMP tool queries appliance the appliance on UDP Port 161 for statistics..
    TrapsThe appliance pushes alerts to the SNMP tool when specified thresholds are met or events occur.
    OIDObject Identifier:  A unique identifier representing a specific attribute, condition, or information about the appliance.
    MIBManagement Information Base:  Contains all the OIDs for traps and polling attributes available on the appliance. Common FireEye MIBs are:
    • HOST-RESOURCES-MIB
    • FIREEYE-MIB
    • TMS-MIB
    • SNMPv2-MIB

     

    OIDs and MIBs may vary between appliance types and operating system versions. You can download the MIB from each appliance by going to Notifications > SNMP > Download our MIB file.

    Example using an OID in Polling and Traps:

     

    • Polling:  The .1.3.6.1.4.1.16858.1.1.1 OID will return the appliance OS version
    • Trapping:  The appliance can use the .1.3.6.1.4.1.25597.11.1.0.1 OID in a trap to send the FireEye appliance OS version when it has exceeded its own temperature threshold

     

    Enabling SNMP

     

    To enable SNMP on an appliance:

     

    hostname # enable

    hostname # configure terminal

    hostname (Config) # snmp-server enable

    hostname (Config) # snmp-server enable communities

    hostname (Config) # snmp-server listen enable

    hostname (Config) # snmp-server enable notify

    hostname (Config) # snmp-server host <$NMS_IP> traps <community>

     

     

     

     

    Enables pulling

    Enables trapping

    <$NMS_IP> = the IP address of the monitoring server receiving traps; not required for polling

    For  SNMPv2:

    hostname (Config) # snmp-server community <community> ro

     

    In SNMPv2, the "snmp community" is like a password. Ensure the <community> string is correct for both SNMP polling and SNMP traps

    For SNMPv3:

    hostname(Config) # snmp-server user <$username> v3 auth <$hash_algorithm> <$password>

    hostname(Config) # snmp-server user <$username> v3 enable

     

    In SNMPv3, the "snmp community" is replaced with a username, auth hash algorithm, auth password, and an optional priv password.

     

     

     

    SNMP Polls (Query/ Request)

    To configure polling, download the FE-FIREEYE-MIB from the appliance (Notifications > SNMP > Download our MIB file) and load it into the SNMP tool. Most SNMP browsers can retrieve the values the appliance supports, and then display them in a hierarchy so you can find the value you need to include in the request.

     

    SNMP polling uses UDP port 161 to pull information from the appliance. You can set a threshold on the NMS (Network Management System) for the polled data, but that threshold is on the NMS only--the appliance has no record of it.

     

    For more details, see “Retrieving SNMP Data” in your appliance's System Administration Guide.

     

     

    SNMP Traps (Event Push)

     

    Event notifications (known as traps) are sent by the appliance to the SNMP manager. Traps typically report alarm conditions such as a disk failure or excessive temperature.

     

    SNMP traps use UDP port 162 to push alerts from an appliance to the SNMP server. For alerts based on thresholds, the threshold is configured on the appliance itself. In some cases, an additional trap may be sent when a value that exceeded a threshold returns to acceptable limits (Rising and Falling).

     

    For more details, see “Sending Traps” in your appliance's System Administration Guide.

     

    To enable the appliance to send notifications to the SNMP server for specific events, use the following CLI command:

    hostname (config)# snmp-server notify event <$event>

    hostname (config)# write memory

    The events available for notification may vary between appliance types and operating system versions. The table below shows examples of events and event descriptions. For a list of events actually available on each appliance, use the following CLI command:

    hostname (config)# snmp-server notify event ?
    • Note: as of 09 February 2017, event thresholds cannot be adjusted.

     

    Example events:

     

    deployment-check-failureDeployment check has failed.
    deployment-check-recoverDeployment check has recovered.
    disk-space-lowFile system free space has fallen too low.
    excessive-temperatureExcessive temperature has been reached.
    fan-failureA fan has failed.
    fan-recover A fan has recovered.
    hardware-bypass-enteredPermanent hardware bypass mode entered.
    http-throughputHTTP throughput has not increased for a specified time.
    if-link-changeAn interface link has changed.
    interface-downAn interface's link state has changed to down.
    interface-upAn interface's link state has changed to up.
    license-state-changedA license state has changed.
    normal-temperature Temperature is normal.
    physical-disk-failureA physical disk has failed.
    physical-disk-recoverA physical disk has recovered.
    power-supply-failureA power supply has failed.
    power-supply-recoverA power supply has recovered.
    aid-status-failureA RAID error has occurred.
    raid-status-recoverA RAID has recovered.
    security-update-failureSecurity update has failed.
    sizing-threshold-exceededOne of the sizing measurement has exceeded threshold.
    sizing-threshold-normalAll sizing measurements have returned to normal.
    smart-warningSmartd warnings
    snmp-authtrapAn SNMP v3 request has failed authentication.

     

     

    Thanks to Support Engineers damienj, amitkarpe and benny.zukerman for contributing this article and to george.anderson and jason.bahga for its upkeep!