We are trying to configure SNMP trap sending from QRadar to a Zabbix based on CRE Offenses and events.
Following this guide:
https://www.ibm.com/support/knowledgecenter/SS42VS_7.4/com.ibm.qradar.doc/c_qradar_adm_snmp_config.html
In particular:
https://www.ibm.com/support/knowledgecenter/SS42VS_7.4/com.ibm.qradar.doc/t_qradar_adm_snmp_send.html?view=kc
We configured the SNMP trap sending based on a rule that we configured.
The trap doesn't seems to work tough:
This is an error we receive on qradar.log:
Aug 7 14:32:01 ::ffff:172.25.0.96 [ecs-ep.ecs-ep] [ECS Runtime Thread] com.ibm.si.ep.SNMPV2: [ERROR] [NOT:0000003000][QradarIP/- -] [-/- -]Invalid host specified: %ZabbixIP% SNMP sender will be disabled
The IP address is our Zabbix machine, sending a trap manually works fine
17:10:53.330054 IP (tos 0x0, ttl 64, id 45398, offset 0, flags [DF], proto UDP (17), length 98)
qradarhostname.51578 >zabbixhostname.com.snmptrap: [bad udp cksum 0x6ed2 -> 0x9425!] { SNMPv2c C="Public" { V2Trap(55) R=1391468547 system.sysUpTime.0=0 S:1.1.4.1.0=E:20212.1.2 }
This is a TCPDump of an snmp trap sent from Qradar to our monitoring system.
This is the "host part" of the OffenseCRE.snmp.xml
<creSNMPTrap name="offenseCRENotification" OID="1.3.6.1.4.1.20212.1.2" version="2">
<trapConfig> <snmpHost snmpVersion="2" port="162" retries="10" timeout="500">*Zabbix IP address*</snmpHost> <communityString>Public</communityString>
If the IP address is not a valid host, what should I put into the "host" field mentioned in this documentation?
https://www.ibm.com/support/knowledgecenter/SS42VS_7.4/com.ibm.qradar.doc/t_qradar_adm_snmp_send.html
We need some help about the configuration because there are no examples on how configure it on the knowledge center.
------------------------------
Alessandro Di Liberto
------------------------------