SNMP Trap and Rsyslog Setup for Ubuntu 20+

When wanting to implement NMIS9 as trap and syslog receiver on Ubuntu 20.04 or greater. 

Step-by-step guide


SNMPTRAP Steps

  1. First you want to install snmptrapd. I also recommend going ahead and enabling snmptrapd to start automatically in case of server reboots

    Install snmptrapd
    apt-get install snmptrapd
    systemctl enable snmptrapd
  2. With NET-SNMP Version 5.8 and systemd you will need to override snmptrapd.service. This means that when starting snmptrapd the options you put in the override file will be what starts and not what snmptrapd defaults with.

    Edit snmptrapd service
    systemctl edit snmptrapd
  3. In the edit window that appears you will want to paste the below text. Editor is nano, I recommend using the default file name so you just need to save and exit (ctl+o, ctl+w)

    override.conf text
    [Service]
    ExecStart=
    ExecStart=/usr/sbin/snmptrapd -f -n -Oq -Ls2 -m ALL -M /usr/local/nmis9/mibs/traps

  4. Edit the /etc/default/snmptrapd file, replacing default TRAPDOTS with the below:

    edit snmptrapd
    vi /etc/default/snmptrapd 
    /etc/default/snmptrapd
    TRAPDOPTS='-n -LS2d -p /var/run/snmptrapd.pid -m ALL -M /usr/local/nmis9/mibs/traps'
    TRAPDRUN=yes
  5. Edit the /etc/snmp/snmptrapd.conf file,
    edit snmptrapd.conf
    vi /etc/snmp/snmptrapd.conf
    /etc/snmp/snmptrapd.conf
    disableAuthorization yes
    #If you have installed nmis9 in a different directory make sure to change below to match.
    traphandle default /usr/local/nmis9/bin/traplog.pl
  6. Now we need to reload the daemon and restart the service.

    reload daemons
    systemctl daemon-reload
    systemctl restart snmptrapd
    # Always a good idea to check status
    systemctl status snmptrapd

 Rsyslog Steps

  1. First you want to make sure rsyslog is installed, I also recommend going ahead and making sure its enabled to start automatically in case of server reboots

    Install snmptrapd
    apt-get install rsyslog
    systemctl enable rsyslog
  2. Copy the rsyslog.conf file from nmis9/conf-default/rsyslog and replace the current rsyslog file.

    rsyslog
    #make a backup of the orginal
    cp /etc/rsyslog.conf /etc/rsyslog.conf.bak
    cp /usr/local/nmis9/conf-default/rsyslogd/rsyslog.conf /etc/rsyslog.conf
  3. Now we will edit rsyslog.

    rsyslog.conf edit
    vi /etc/rsyslog.conf
    rsyslog text add
    # Go to the end of the file and add:
    
    local7.*                                                /usr/local/nmis9/logs/device.log
    
    
  4. Reload and restart Daemon

    reload daemons rsyslog
    systemctl daemon-reload
    systemctl restart rsyslog
    # Always a good idea to check status
    systemctl status rsyslog
  5. Time to test! To verify operation you can send a test trap either locally or from another Linux server, this example sends an Opmantek event trap.

    test trap
    sudo snmptrap -v 2c  -c public 127.0.0.1 80000 1.3.6.1.4.1.4818 1.3.6.1.4.1.4818.1 s Event

Add New SNMP MIBS for Trap Processing

If you are receiving SNMP traps from devices which are just numbers, then you will need to add the MIBS so that the SNMP trap daemon can decode them them for you.  First you need to identify the required MIB files and any dependant MIB files and then copy those files to the directory /usr/local/nmis9/mibs/traps and restart the SNMP trap daemon.

service snmptrapd restart

You can test the decoding using the snmptranslate command, which was described in a previous section.

opEvents - Centralized Logging Solution

opEvents - Syslog Handling - Adding a New Vendor

opEvents - Syslog Handling - Adding a New Format