I'm having a similar problem and hoping someone can assist.
OS is Windows 2008 R2, SiteScope 11.22
I have configured a single 'SNMP Trap' monitor that I want to alert me when SNMP traps are received from a web application firewall device. I believe the remote end is correctly configured and running tcpdump on it (it's based on CentOS) I can see it sending out UDP traffic on port 162 to the IP of the box I run SiteScope on.
Unfortunately in SiteScope when configuring the SNMP Trap monitor and using the 'Use Tool' button and then clicking 'Run Tool' (with 'Content match:' left empty to match all content) I get '0 traps' returned. The same thing happens if I use the 'SNMP Trap Tool' via the 'Tools' menu.
Under 'Preferences' --> 'SNMP Preferences' I have the following configured in the 'Receive SNMP Traps Preferences' section:
Host: 10.x.x.x # The IP of the web application firewall
I've read that a SiteScope/logs/snmptrap.log file should be being appended to if SiteScope is to configured to receive traps. This log doesn't exist in my setup.
I'm not sure if these are still used/important -- if they are I'd imagine things like _snmpHost and _snmpPort should be populated? Unsure.
I think my problem is, if SiteScope is meant to include full functionality to respond to SNMP traps, is that it's not running any kind of listener to receive traps and therefore isn't writing said logfile.
Alternatively, is SiteScope meant to piggy-back of the Windows SNMP service, or Windows SNMP Trap service? I haven't done a great deal of configuration in these sections (in fact there's none available in the latter) but have tried ensuring community strings exist under the SNMP service preferences and they match what I configured on the remote device, and included the IP of hte remote device under 'Accept SNMP packets from these hosts'. I've also configured a matching community name in the 'Traps' tab and configured trap destinations as 'localhost'. Unsure if any of this is required (documentation unclear).
I've tried turning on and off the SNMP Trap service. If I stop it, the SiteScope server rejects the traps from the remote device at the IP level as no port is listening.
In my current situation, and somewhat following the brief advice in the previous post, I have the SiteScope Receive SNMP Trap Preferences to receive traps directly from the remote device on port 16000 to bypass any port conflict from the standard Windows SNMP service, and have restarted SiteScope.
This isn't working as again, nothing is listening on port 16000. What am I meant to do to get either SiteScope listening for traps, or reocnfiguring the Windows SNMP services to correctly deal with them and forward to SiteScope?
That number at the end is the PID of the process using the port in question. So now, run the following (change the number to match the number you got back):
tasklist | findstr 3184
If it is Sitescope that's using that port, you should see something like this:
SiteScope.exe 3184 Services 0 758?408 K
Assuming all the above checks out for you, I'd next confirm that a) your firewalls are permitting UDP traffic from the device sending SNMP traps to your Sitescope server over UDP port 162 and b) that the device sending the SNMP traps are sending the traps to your Sitescope server over UDP port 162.
There shouldn't be two processes both binding to port 162. In fact, I'm a bit baffled how the Windows OS would allow something like this, but that's beside the point.
It looks like you have your Windows "SNMP Trap" service started, correct? If so, stop the "SNMP Trap" service, set it to "Manual", then retry your Sitescope monitors. What you're looking for is for one process only to be binded to UDP port 162, so after you've stopped the "SNMP Trap" process, run the following command again and confirm that you're only seeing one PID coming back: netstat -ano | findstr :162
If the SNMP traps are sent and received successfully, you should see a new logfile called "snmptrap.log" appearing in your Sitescope logfile directory.
EDIT: I did some more reading on UDP ports and, apparently, it is possible to have multiple processes binding to the same UDP port. I'd personally not recommend this though, but that's more a matter of personal opinion than anything else.
I'd still recommend having only Sitescope bind to port 162 in this case. Either that, or change the SNMP port for Sitescope.
Not sure which OS you have running on the device that is sending the SNMP traps, but if it's a *Nix type system with SNMP v2 installed, you could give this command a try as a simple test:
snmptrap -v 2c -c public <YOUR_SITESCOPE_IP>:162 '' 188.8.131.52.4.1.2021.13.991 .184.108.40.206.220.127.116.11 s "`hostname`" 18.104.22.168.22.214.171.124 s "TEST SNMP TRAP" 126.96.36.199.188.8.131.52 s "Application" 184.108.40.206.220.127.116.11 s "Critical" 18.104.22.168.22.214.171.124 s "This is a test SNMP trap to see if communications are OK"
If the above command runs OK, you should see an entry in your snmptrap.log file on the Sitescope side matching what was sent above.
I run the above mentioned command and it's showing nothing in command line and also the snmptrap.log file is not created under <sis_root_dir>/logs folder.Is there any other way to check if sitescope is capturing traps or not /
You can try the built-in Sitescope SNMP Trap tool, but if there's no snmptrap.log then I'm relatively sure Sitescope hasn't received anything yet.
To test though, in your Sitescope UI, go to "Tools" (bottom left), then "SNMP Tools", then "SNMP Trap tool". Fill in the following in the content match area:
Now click on "Run Tool". It should display all the SNMP traps received (if any).
At this stage, we know that you have the necessary SNMP Trap monitors running and that only Sitescope is listening on port 162. We also know that neither the method your application uses to send SNMP traps nor the "snmptrap" utility produces any received traps on the Sitescope side of things.
This leads me to suspect that the issue is something to do with communications, most likely UDP port 162 not being allowed from your device sending the SNMP traps to your Sitescope machine.
I'd ask your network administrator to check, and if communications are indeed not allowed, to permit.
I tried the ablove mentioned tool and tried to send trap from my Sitescope machine to sitescope. It is working file, with this i am able to create a snmptrap.log file .So it means there is some network communication problem or some other reason that i am not able to capture traps from other devices ?
That narrows it down to network communications I'd say.
We know your Sitescope appears to do what it's supposed to, so the only conclusion I can make at this point is that your Sitescope isn't creating an snmptrap.log file as it's simply not receiving any SNMP traps from the device you're trying to send from.
I'd try Kenneth's recommendations as well, but again, to me this looks like a definite firewall issue.
tasklist | findstr 34760 snmptrap.exe 34760 Services 0 8,208 K
Seems that the port 162 is listening. But Sitescope is not running using 162 port. Can you let me know how I can make Sitescope to use 162 port. It was using 162 port before and was recieving the traps. Suddenly it stopped recieving traps and this seems to be the reason.