CyberArk integration with Check MK using SNMP traps

CMK version: 2.0.0p15 raw
OS version: RHEL 8.6
Description of the problem: I am trying to monitor the CyberArk vault using snmp traps, according to the Cyber Ark documentation: Support Community. I uploaded the v2 MIB file to Check MK (though i had to remove the last entry as check mk complained about a “duplicate symbol”), created a rule pack and a simple rule that catches any event as per the Check MK documentation (The Event Console - Processing logs and SNMP traps).

When manually testing the sending of an event, Check MK correctly receives it. However, Check MK is not receiving any events from the Cyber Ark vault. The SNMP traps are being sent, as I did a traffic capture on port 162 of the Check MK server and detected traps being sent. The problem seems to be CheckMK interpretation of these traps, but nothing shows up in the logs (/var/log/mkeventd.log):

2022-11-29 15:42:47,019 [20] [cmk.mkeventd.StatusServer] Reloaded configuration.
2022-11-29 15:49:32,202 [20] [cmk.mkeventd.EventServer] Successfully forwarded notification for event 18 to Check_MK
2022-11-29 15:49:47,709 [20] [cmk.mkeventd.EventServer] Successfully forwarded notification for event 19 to Check_MK

The mkeventd log does not even report an attempt of sending a trap, it only reports my manual tests (event 18 and 19)

I was wondering if anyone had any experience integrating CyberArk with CheckMK and experienced a similar problem.

Is the Event Console listening on port 162/udp? Have you enabled that in the global settings or via omd config?

You need to spacify a community or for V3 an Engine ID to receive traps.

Yes, as shown here:


I am able to generate traps in the command line (with the snmptrap command).

You mean the SNMP community string? I am using the default “public” at both ends (with v2):

Hi.

Did you create a rule with the correct syslog facility “snmp traps”?

Hi Gabriel,

Coincidentally we are configuring the exact same thing at the moment. We are just a bit ahead on you because we do get SNMP traps from the Vault. So far, the suggestions from other people seem right. Did you also run “omd config” and enable “MKEVENTID*” under addons?

(Our config is also not working yet because the SNMP traps are not translated. There seems to be something wrong with the CyberArk V2 MIB file apart from the duplicate section at the end of the file. Please drop a line if you get past the MIB Translation)

Hi,

Hadn’t done that, did it now, but still with no results:


I am still getting no events from Cyber Ark

Hello Hugo,

Ok, I think I have found out the problem. I enable the debug option for logs regarding snmp traps, and noticed this in the mkeventd.log:

2022-12-05 12:03:56,312 [15] [cmk.mkeventd.EventServer.snmp] Trap (v1) dropped from <ip address>: Unknown community ("public")

And

2022-12-05 12:03:56,315 [10] [cmk.mkeventd.EventServer.snmp] prepareDataElements: Message:
 version=version-2c
 community="public"
 data=PDUs:

It seems Cyber Ark is sending the community string with the enclosed in “”, which check mk rejects. When I changed the default string in Check MK from public to “public”, I started receiving events:

Not sure why Cyber Ark is sending the community string in quotes. Maybe it is the standard behaviour? But Check MK seems not to like that. The Cyber Ark configuration says the quotes should be used (Support Community), but even after I removed them from the configuration file, they still showed up in the logs.

You seem to have the same problem. the hex numbers are not being translated into text. Just copy/paste the hex output into an online converter and you will see that there is essential information in there that we are missing. (the 0x4d6**** part of the SNMP output)

Hi Hugo, did you do some configuration on the checkmK to convert the hex numbers to text? Did you solve your problem? if yes, how did you do that?

Hi Jomes,
No, we have not been able to solve this yet. We had a long look at this problem with CheckMK support. They helped us very well. We where able to prove that the Cyberark MIB’s are not formated correctly. There are several online MIB validators that will tell you that the MIB has multiple syntax errors.

We have opened a case with Cyberark support and are curently waiting for an answer on this problem. I will come back to you when the solution has been found.

I appreciate, because I am having similar issue

Hello all, I had some breakthrough, by renaming the mib file extension from .txt to .mib


It still does not translate the OIDs.

Hi,

I did have the same issue. The cyberark MIB is invalid. If you look in the logs you can see, that the MIB cannot be compiled due to errors and therefor is not loaded at all. This is the reason it’s not translated.
Here is a sample problem in the MIB:

osMemoryAvailKbSwap OBJECT-TYPE
SYNTAX Integer32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
“Available swap memory in kilobytes”
DEFVAL { “None” }
::= { osMemoryUsage 4 }

which causes a parser error. I read through the MIB definitions (https://www.ietf.org/rfc/rfc1212.txt section 4.1.7. “Mapping of the DEFVAL clause”).

If you define a “DEFVAL” it must be the same type as specified in the “SYNTAX”. In these cases, the SYNTAX is “Integer32” and the defined “DEFVAL” is “None”. Now the word “None” is not an “Integer32” and therefor causes an error.
Since the “DEFVAL” definition is optional (as specified in the RfC) I simply removed them in all objects where there was a mismatch. Then it does compile just fine and gets translated, but unfortunately now I am stuck myself on this issue SNMP Trap string decoding, which I not yet have a solution for. I guess cyberark just has to fix their MIB.

Edit: Additionally there is this issue in the cyberark MIB: Support Community . I did not remove the section, but renamed the group.

BR
Benjamin

This topic was automatically closed 365 days after the last reply. New replies are no longer allowed. Contact an admin if you think this should be re-opened.