Alerts Settings: SNMP
Use the SNMP tab in the Alerts Settings dialog box to configure DeviceLock Service for SNMP support.
To open this dialog box, do either of the following:
•Right-click Alerts in the console tree, and then click Manage.
•Select
Alerts in the console tree, and then click
Manage 
on the toolbar.
•Select Alerts in the console tree; then, in the details pane, right-click SNMP and click Manage.
•Select Alerts in the console tree, and then double-click SNMP in the details pane.
Note: You can define different online vs. offline alert settings. Online alert settings (Regular Profile) apply to client computers that are working online. Offline alert settings (Offline Profile) apply to client computers that are working offline. By default, DeviceLock works in offline mode when the network cable is not connected to the client computer. For detailed information on DeviceLock offline policies, see
DeviceLock Security Policies (Offline Profile). |
DeviceLock supports SNMPv1, SNMPv2c, and SNMPv3 protocols. You can configure DeviceLock Service to automatically send alert notifications to the specified SNMP server when alert conditions occur. These alerts are sent only when all of the following conditions are met:
•The SNMP server is set up to receive traps.
•The remote computer running the SNMP server is accessible from all computers running DeviceLock Service.
•Alerts have been configured to be sent through SNMP traps.
Complete the SNMP tab as follows:
•SNMP protocol version - Configure DeviceLock Service to use the version of SNMP supported by the SNMP server. Available options are: SNMPv1, SNMPv2c, and SNMPv3.
•Connection - Configure the SNMP server information.
•Server - Specify the SNMP sever to send traps to. To do so, in the Server box, type the SNMP server host name or IP address.
•Protocol - Specify the transport protocol for passing data between DeviceLock Service and the SNMP server. Available options are: UDP and TCP.
•Timeout - Specify the time (in seconds) that DeviceLock Service waits for the SNMP server to reply before retransmitting the data packet. The default value is 1 second.
•Port - Specify the port on which the SNMP server listens for traps. The default value is 161.
•Retransmits - Specify the number of times DeviceLock Service’s request is re-sent to the SNMP server, if the server is not responding. The default value is 5.
This value is set only for TCP connections.
•Security - Configure SNMP security settings:
•Community - Specify the SNMP community string to use for authentication with the SNMP server. The default value is public. Applicable only to SNMPv1 and SNMPv2c.
•Security user name - Specify the user account to use for authentication with the SNMP server. Applicable only to SNMPv3. If authentication is not required, no authentication credentials need to be specified.
•Context name - Specify the context name if an SNMP context is configured on the SNMP server. Applicable only to SNMPv3.
•Context engine ID - Specify the context engine ID if an SNMP context is configured on the SNMP server. Applicable only to SNMPv3.
•Authentication protocol - Specify the protocol used to encrypt the authentication with the SNMP server. Applicable only to SNMPv3. Available options:
•None - Corresponds to the SNMP security level No security. Communication without authentication and without privacy.
•HMAC-SHA - Corresponds to the SNMP security level Authentication.
•Password/Confirm password - Specify the password corresponding to the user account to use for authentication with the SNMP server. Applicable only to SNMPv3.
•Privacy protocol - Specify the protocol used to encrypt data for SNMP communication. Applicable only to SNMPv3. Available options:
•None - Corresponds to the SNMP security level No security. Communication with authentication and without privacy.
•CBC-AES-128 - Corresponds to the SNMP security level Authentication and Privacy. Communication with authentication and privacy.
•Password/ Confirm password - Specify the password for data encryption (privacy). Applicable only to SNMPv3.
•Threshold - Specify the time interval (in hours, minutes and seconds) used for event aggregation when generating alerts. DeviceLock Service aggregates multiple similar events occurring within the threshold time and generates a summary in a single alert if all of the following conditions are true:
a) The events are of the same type (Success, Failure, or Information).
b) The events are associated with the same device type/protocol.
c) The events are associated with the same user.
d) The events are associated with the same PID.
The default value is 0 seconds.
Note: DeviceLock Service aggregates only access-related events when generating alerts. Administrative events are not aggregated. |
•Test - Send a test SNMP trap to verify that DeviceLock Service is configured correctly. This test operation can have two different outcomes, each resulting in a different message being displayed:
•The test can complete successfully, meaning that a test SNMP trap was successfully sent using the configured SNMP trap parameters. The resulting message states: “Test SNMP alert was successfully sent.”
•The test can fail, meaning that a test SNMP trap was not sent. The resulting message states: “Test SNMP alert was not sent due to error: <error description>.”
SNMP traps by DeviceLock Service are presented in the Management Information Base (MIB) format. MIB for DeviceLock Service has the object identifier (OID) 1.3.6.1.4.1.60000 or iso.org.dod.internet.private.enterprise.DeviceLock, and it contains the following branch nodes:
•products(1)
•agent(1)
•alerts(1) - This node contains the following single MIB objects:
•eventType(1) - The class of an event: Success for allowed access, Failure for denied access, or Information for events generated by Content-Aware rules of Detection type. Note that the value of eventType is displayed as a numeric value instead of a text string: 8 indicates success, 16 indicates failure, and 4 indicates information.
•eventId(2) - A number identifying the particular event type.
•userSid(3) - The security identifier (SID) of the user associated with this event.
•userName(4) - The name of the user associated with this event.
•computerName(5) - The name of the computer from which the event was received.
•processId(6) - The identifier of the process associated with this event.
•processName(7) - The name of the process associated with this event.
•source(8) - The type of device or protocol involved. Please note that the value of source is displayed as a numeric value rather than a text string. The following numeric values are used:
Devices | Protocols |
1 - Floppy | 513 - ICQ Messenger |
2 - Removable | 514 - HTTP |
3 - Hard disk | 515 - Torrent |
5 - Optical Drive | 516 - FTP |
7 - Serial port | 517 - SMTP |
8 - Parallel port | 520 - Jabber |
9 - Tape | 521 - IRC |
10 - USB port | 522 - Telnet |
11 - Infrared port | 524 - Mail.ru Agent |
12 - FireWire port | 525 - Web Mail |
13 - Bluetooth | 526 - Social Networks |
14 - WiFi | 527 - SSL |
15 - Windows Mobile | 528 - SMB |
16 - Palm | 529 - MAPI |
17 - Printer | 530 - File Sharing |
18 - iPhone | 531 - Skype |
19 - BlackBerry | 533 - Any (TCP) |
20 - Clipboard | 534 - Any (UDP) |
21 - TS Devices | 539 - IP (TCP) |
22 - MTP | 540 - IP (UDP) |
| 541 - IBM Notes |
| 542 - WhatsApp |
| 546 - Telegram |
| 547 - Viber |
| 548 - Tor Browser |
| 549 - Web Search |
| 550 - Career Search |
| 551 - Zoom |
•action(9) - The user’s activity type.
•name(10) - The name of the object (file, USB device, etc.).
•info(11) - Other device-specific information for the event, such as the access flags, device names, and so on.
•reason(12) - The cause of the event.
•datetime(13) - The date and time (in the RFC3339 date/time format) when the event was received by DeviceLock Service.
Note: These MIB objects correspond to audit log fields. |
A trap is sent just once each time an event associated with an alert occurs. Below is an example of the SNMP alert.
