System Monitoring Notification Targets

The purpose of system monitoring is to alert administrators of certain events that originate in different system elements.

System monitoring requires one or more notification targets to be defined to specify the output format. The available target formats are:

• SMS
• E-mail
• SNMP traps

SMS and email targets

To use SMS and email notification, the Message Delivery Component (MDC) service must be configured for SMS and email, respectively. For SMS notifications you need to provide a mobile phone number. For email notification you need to provide a sender email address (from), a recipient email address (to), and a subject line. For more information about configuring either notification type, see Configuring voice delivery or Configuring email delivery

SNMP traps

To receive notifications about events via SNMP traps and to process these traps, the following configuration steps are required:

• Configure an SNMP trap handler
• Define SNMP traps
• Configure SNMP

Configuring an SNMP trap handler

To receive notifications via SNMP traps from OneSpan Authentication Server you need to configure an SNMP trap handler that uses the same SNMP settings as specified in the definition of an SNMP notification target.

Defining SNMP traps

OneSpan Authentication Server supports sending the following types of SNMP traps:

• TRAP v2c
• TRAP
• INFORM: SNMP traps with confirmation from the SNMP trap receiver.

You can define the SNMP trap either using the Configuration Utility (via Monitoring > Targets) or the Administration Web Interface (via SYSTEM > Server Configuration > System Monitoring). Select SNMP as the target type, and specify the following parameters:

• Trap type: TRAP v2c, TRAP, or INFORM.
• Host: The location to which the SNMP traps are sent.

• SNMP host type:

  • INFORM. This type expects an acknowledgment, and will make a number of retries until an acknowledgment is received. If no acknowledgments are received the SNMP host will stop asking.
  • TRAP. SNMPv3 trap.
  • TRAPV2c. SNMPv2c trap.

• SNMP settings: The settings for sending the trap. These settings depend on the selected SNMP trap type, and must align with the SNMP settings used by the SNMP trap handler.Example adjustments of these settings are:

  • Security Name: This is the user name for SNMPv3, or the community name for SNMPv2c.

  • Authentication type: The authentication type must match the authentication type of the SNMP host.

    • None. Messages will not be authenticated.
    • MD5
    • SHA
    • Secret. The secret key that is used by the authentication protocol for authenticating messages.

  • Privacy Type: The privacy protocol. This determines whether messages sent by this user will be encrypted, and if so, which protocol to use.

    • None. Messages cannot be encrypted.
    • AES
    • DES
    • Secret. The secret key that is used by the encryption protocol.

    When you configure SNMP notification targets, make sure that you set both the authentication type AND the privacy type for a complete trap configuration, i.e. you cannot set a privacy type without setting an authentication type.

    Only the following combinations are valid for SNMP communication:

    • Without authentication and privacy (both set to None).
    • With authentication, but without privacy.
    • With authentication and privacy.

Configuring SNMP

To use SNMP notifications you must first install an SNMP manager, e.g. Net-SNMP. A number of MIBs are provided for use with SNMP.

SNMP traps can only be sent when Net-SNMP is configured. The relevant configurations are adjusted in the OneSpan Authentication Server Configuration Utility. Specify the information that is to be written into the snmpd.conf and snmp.conf configuration files of the Net-SNMP service.

The snmpd.conf configuration file contains information about the OneSpan Authentication Server SNMP sub-agent and includes the following elements:

• Net-SNMP IP address, i.e. the IP address the service binds to
• Net-SNMP port, i.e. the UDP port of the service
• SNMPv3 user name
• Authentication type
• Authentication password (if required by the selected authentication type)
• Privacy type
• Privacy password (if required by the selected privacy type)

When an SNMP trap is sent, the information is added to the security alert table, i.e. an SNMP table defined in OneSpan Authentication Server and contains a list of recent security alerts. This list is defined in the VASCO-IDENTIKEY-MIB.txt file and can be accessed using an SNMP viewer. It is non-persistent, i.e. the list is cleared when the OneSpan Authentication Server process is stopped.

Example output of an SNMP trap sent by OneSpan Authentication Server and received by the Net-SNMP trap handling service:

2014-05-07 11:40:58 DEVTESTDC.DEVTEST.local [UDP: [10.143.225.21]:52911->[0.0.0.0]:0]:

SNMP-FRAMEWORK-MIB::snmpEngineTime.0 = INTEGER: 816 seconds

SNMP-FRAMEWORK-MIB::snmpEngineBoots.0 = INTEGER: 4

SNMPv2-MIB::snmpTrapOID.0 = OID: VASCO-IDENTIKEY-MIB::vdsIkSecAlertEvent

OneSpan Authentication Server uses the standard AgentX protocol to communicate with the Net-SNMP service and delegates all SNMP-specific request handling to Net-SNMP. This includes the responsibility of sending the SNMP traps. The Net-SNMP service must be running on the same system where OneSpan Authentication Server is running. OneSpan Authentication Server requires Net-SNMP to listen on TCP port 705 for the requests.

When OneSpan Authentication Server detects that an audit message matches the audit filter, and if it has been configured to notify about this event via SNMP, then OneSpan Authentication Server performs the following steps:

1. Extract the audit message information.

   Audit message type. Any of the following types is supported:

   • Success
   • Failure
   • Error
   • Information
   • Warning

   Audit message summary. The summary of the audit message includes the following audit message fields:

   • Date and time when the audit message was generated by OneSpan Authentication Server.
   • Audit Message Code
   • Audit Message unique IDentifier (AMID)
   • Audit Message description

2. Add a new entry in the SNMP security alert table. Each entry has the following fields:

   • Index. Auto-incremented index value.
   • Time. The date and time when the entry was generated.
   • Type. The audit message code.
   • Content. The audit message summary.

3. Send SNMP trap including the ObjectName of the index of the new entry added in the SNMP security alert table.

Defining event filters

As part of setting up OneSpan Authentication Server system monitoring, you can filter the events you want to be notified about via SNMP. By defining one or more filters you describe which audit messages need to be filtered, and how the notifications are to be delivered. The definition of an audit filter is similar to the definition of an audit filter as part of a report definition.

For the delivery of the notification you need to select the previously defined SNMP target. You can do this either using the Configuration Utility (via Monitoring > Targets) or the Administration Web Interface (via SYSTEM > Server Configuration > System Monitoring).