SNMP (Simple Network Management Protocol) traps are alert messages sent from network devices—such as routers, switches, servers, or printers—to an SNMP manager. These messages indicate specific events or changes on the device, such as:
- Interface or port failures
- Hardware malfunctions
- Threshold breaches
Each trap is mapped to a predefined condition in the device’s Management Information Base (MIB) and contains variable bindings that define the alert. OpsRamp processes incoming SNMP traps and converts them into actionable alerts within the platform.
Prerequisites
Before configuring SNMP traps, ensure the following requirements are met.
- Network Configuration
- Port Access: Allow UDP port 162 (unidirectional) from the monitored device to the OpsRamp Gateway.
- Gateway IP Configuration
- Classic Gateway: Configure the Gateway IP address on the sending device.
- NextGen Gateway: Configure the external IP address of the UDP service on the sending device.
To retrieve the list of services and their corresponding IP addresses for the NextGen Gateway, run the following command:
kubectl get svc -n <namespace>
Here, replace
SNMP Version and Credential Setup
SNMPv1 and SNMPv2
- No credentials are required.
- The gateway interprets Trap OIDs directly, as messages are unencrypted.
SNMPv3
SNMPv3 messages are encrypted and require credentials to decode the traps. You can configure this in one of two ways:
Use Default SNMPv3 Credentials
OpsRamp Gateways are pre-configured with default SNMPv3 credentials. If your devices use these credentials, no additional configuration is required. To retrieve the list of default credentials, contact the OpsRamp Support team.
Define Custom SNMPv3 Credentials
If you want to define custom SNMPv3 credentials, configure them in the Gateway with Base64 encoding. Otherwise, SNMPv3 traps will not be processed.
Define custom SNMPv3 credentials in the following format:
securityname###authProto###authPassPhrase###privProto###privPassphrase
Example: user6###MD5###abcdef@123###DES###ghijkl@456
Note
If any field is not required or should be left empty, useNONE as the placeholder.
Example: user6###NONE###NONE###NONE###NONESNMP Privacy Protocols
Format of the protocol names to be followed in the trap configuration file:
| Privacy Protocol | Configuration Format |
|---|---|
| DES | DES |
| DES3 | DES3 |
| AES | AES |
| AES128 | AES-128 |
| AES192 | AES-192 |
| AES256 | AES-256 |
| AES192C | AES-192-C |
| AES256C | AES-256-C |
SNMP Authentication Protocols
Use the following configuration formats when defining SNMPv3 authentication protocols in the trap configuration file.
| Authentication Protocol | Configuration Format |
|---|---|
| SHA | SHA |
| SHA224 | SHA224 |
| SHA256 | SHA256 |
| SHA384 | SHA384 |
| SHA512 | SHA512 |
| MD5 | MD5 |
SNMPv3 Credential Format Examples
Use the following syntax to define custom SNMPv3 credentials in the configuration file:
Examples
SNMP v3 credentials are AuthPriv then
snmpusername###MD5###snmpuserauthstring###DES###snmpprivstring
SNMP v3 credentials are AuthNoPriv then
snmpusername###MD5###snmpuserauthstring###NONE###NONE
SNMP v3 credentials are NoAuthNoPriv then
snmpusername###NONE###NONE###NONE###NONE
Detailed Example
For a device with the following SNMPv3 credentials:
- Username:
user6 - Auth:
MD5 - Authorization password:
abcdef@123 - Privacy:
DES - Privacy password:
ghijkl@456
The custom credential format is: user6###MD5###abcdef@123###DES###ghijkl@456
Encode credentials
After formatting the credentials, convert the formatted credentials to Base64 encoding using a tool of your choice. The user6###MD5###abcdef@123###DES###ghijkl@456 formatted credentials are encoded as dXNlcjYjIyNNRDUjIyNhYmNkZWZAMTIzIyMjREVTIyMjZ2hpamtsQDQ1Ng==.
SNMPv3 Custom Credentials Configuration - Classic Gateway
You can configure multiple SNMPv3 credentials in the Classic Gateway. Each credential must be added on a new line in the configuration file.
- Log in to the gateway using the
ruseraccount. - Open the
/opt/gateway/vprobe/conf/snmp_trap_v3_credentials.cfgfile for editing: - Copy and paste the Base64-encoded SNMPv3 credentials into the file.
Note
For instructions on formatting and encoding credentials, see Define Custom SNMPv3 Credentials.- Save the file and restart the vprobe service using the following command:
service vprobe restart
Your gateway is set up to process SNMPv3 traps using the configured credentials.
SNMP V3 Custom Credentials Configuration - NextGen Gateway
To configure SNMPv3 trap credentials in the NextGen Gateway:
- Create a YAML file in the gateway under the path
/home/gateway-admin(for example:snmp_trap_v3_creds.yml).
snmp_trap_v3_credentials: |-
base64EncodedCredKey1
base64EncodedCredKey2
base64EncodedCredKey3
Note
Ensure that there are two spaces under thesnmp_trap_v3_credentials key before listing the Base64-encoded keys. Proper YAML indentation is required for the file to be parsed correctly.- Copy the Base64-encoded key in the above save the file.
- Retrieve the existing chart version by running the following command:
helm list -n <namespace>
Here, replace
- Update the NextGen gateway helm chart using following command:
helm upgrade nextgen-gw oci://us-docker.pkg.dev/opsramp-registry/gateway-cluster-charts/nextgen-gw --version <current_helm_chart_version> -f <YamlFileName> -n <NAMESPACE> --reuse-values
Note
In the nextgen gateway, SNMP v3 credentials for traps supporting on the 17.0.0 gateway or later.Configure SNMP Traps
- Create an SNMP Trap monitor for each client.
- Configure SNMP Trap
Custom SNMPv3 Credentials Configuration
SNMP Traps Processing Flow
When a trap is sent from a monitored device, the OpsRamp Gateway processes it through the SNMP Trap Monitor configuration. The processing flow follows these steps:
Step 1: OID Filtering
The gateway checks whether the Trap OID is part of the Exclude OID list or the Include OID list.
Exclude OID:
If the OID is in the exclude list, the trap is dropped.
If not, the trap proceeds to further evaluation.Include OID:
If the OID is in the include list, the trap is processed.
If not, the trap is dropped.
Conflict Resolution:
If the OID exists in both the global-level exclusion list and the include list, the trap will be processed.
If the trap passes this step, proceed to Step 2.
Step 2: Device IP Address Filtering
The gateway checks whether the device’s IP address matches the filtering criteria defined in the SNMP Trap Monitor configuration.
- If the IP address is included in the selected filters, the trap is processed.
- If not, the trap is ignored.
If the Process All Interface Traps option is selected:
- The gateway processes traps for both monitored and unmonitored interfaces.
If not selected:
- Only traps from monitored interfaces are processed.
Step 3: Trap Deduplication Window
- If a trap with the same state (e.g.,
warningorcritical) is received again within 30 minutes, the gateway drops the repeated trap to avoid duplicates.
Trap Throughput Capacity
- The OpsRamp Gateway can process up to 1000 traps per minute.
Attenuated Alerts
Alert throttling is handled at the gateway level.
By default, only 4 alerts per 10 minutes are allowed for each unique key combination:
deviceIP_metric_componentOnce the throttling threshold is reached:
- The gateway stops sending alerts to the cloud for that key for the next 10 minutes.
- After the 10-minute window, if a new alert is generated, the subject line is prepended with:
Attenuated alerts
- In the OpsRamp tool, alert throttling is handled at the gateway end, with a default configuration of 4 alerts (Key: deviceip_metric_component) per 10 minutes. Whenever it reaches throttling limit then we are stop sending alerts to cloud till 10 mins is completed and once 10 mins interval is completed then we are prepending alert subject with Attenuated Alert.
- If the cloud receives more than one alert against the (Key: deviceip_metric_component) within a minute, the OpsRamp cloud processes only one alert, and the remaining alerts are dropped.