Edge Delta SNMP Trap Source
12 minute read
Overview
The SNMP Trap source node enables Edge Delta to receive and process SNMP trap notifications sent from network devices, servers, applications, and infrastructure components. It acts as a trap receiver (trap daemon) that listens for unsolicited SNMP notifications over UDP, supporting both SNMPv1 and SNMPv2c trap formats. This allows you to capture real-time alerts and events from your entire infrastructure without actively polling devices. Unlike the SNMP Pull source which actively polls devices at intervals, SNMP Trap passively receives notifications when devices detect events.
- outgoing_data_types: log
The SNMP Trap source node is ideal for:
- Network Device Monitoring: Receive alerts from routers, switches, firewalls, and wireless controllers
- Infrastructure Alerting: Capture temperature, power, and hardware failure notifications
- Application Event Collection: Gather custom traps from SNMP-enabled applications
- Security Event Monitoring: Collect authentication failures and security violations
- Environmental Monitoring: Receive alerts from UPS systems, cooling units, and sensors
Field Mapping
The SNMP Trap source node extracts and maps the following fields from incoming trap messages:
| SNMP Field | Attribute Name | Description |
|---|---|---|
| Version | snmp.version |
SNMP version (1 or 2c) |
| PDU Type | snmp.pdu.type |
Protocol Data Unit type (Trap, SNMPv2Trap) |
| Source IP | network.peer.ip |
IP address of the trap sender |
| Variables | snmp.varbinds |
Variable bindings as OID-value pairs |
| Variable Count | snmp.variables.count |
Number of variables in the trap |
| Request ID | snmp.request.id |
Request identifier (v2c only) |
| Enterprise OID | snmp.enterprise_oid |
Enterprise identifier (v1 only) |
| Generic Trap | snmp.generic_trap |
Generic trap type number (v1 only) |
| Generic Trap Name | snmp.generic_trap_name |
Human-readable trap type (v1 only) |
| Specific Trap | snmp.specific_trap |
Enterprise-specific trap number (v1 only) |
| Agent Address | snmp.agent.address |
Agent IP address (v1 only) |
| Trap OID | snmp.trap_oid |
Combined trap identifier (v1 only) |
Trap Type Mapping
SNMPv1 generic trap types are automatically mapped to descriptive names:
| Generic Trap | Name | Description |
|---|---|---|
| 0 | coldStart | Agent reinitialized with configuration changes |
| 1 | warmStart | Agent reinitialized without configuration changes |
| 2 | linkDown | Network interface went down |
| 3 | linkUp | Network interface came up |
| 4 | authenticationFailure | Authentication attempt failed |
| 5 | egpNeighborLoss | EGP neighbor relationship lost |
| 6 | enterpriseSpecific | Vendor-specific trap |
Example Configurations
Basic Configuration
This minimal configuration uses all default settings to receive SNMP traps. The node automatically listens on the standard SNMP trap port and accepts traps from any source.
nodes:
- name: snmp_trap_receiver
type: snmp_trap_input
Custom Port Configuration
For environments where the standard trap port is unavailable or when running without elevated privileges, specify a custom port above 1024.
nodes:
- name: snmp_trap_custom_port
type: snmp_trap_input
port: 1162
listen: "0.0.0.0"
transport: udp
Advanced Configuration with Community String
This configuration demonstrates advanced options including community string validation and specific network interface binding.
nodes:
- name: snmp_trap_secure
type: snmp_trap_input
port: 162
listen: "10.0.0.100"
transport: udp
community: "secret-community"
source_metadata: true
Example Output
When SNMP traps are received, they are parsed and converted into structured log items. Below are examples showing the raw trap sent and the resulting processed data item.
SNMPv2c Cold Start Trap
Raw trap sent:
snmptrap -v 2c -c public <edge-delta-host> '' \
1.3.6.1.6.3.1.1.5.1 \
1.3.6.1.6.3.1.1.5.1 s "coldStart trap from router"
Processed data item in pipeline:
{
"_type": "log",
"timestamp": 1756958216967,
"body": "SNMP 2c trap from 10.244.0.20",
"resource": {
"ed.source.name": "snmp_trap_receiver",
"ed.source.type": "snmp_trap_input",
"host.ip": "172.19.0.2",
"host.name": "edge-delta-agent",
"service.name": ""
},
"attributes": {
"network.peer.ip": "10.244.0.20",
"snmp.pdu.type": "SNMPv2Trap",
"snmp.request.id": 2112302011,
"snmp.varbinds": {
".1.3.6.1.2.1.1.3.0": {
"centiseconds": 3522368,
"duration": "9h47m3.68s",
"seconds": 35223.68
},
".1.3.6.1.6.3.1.1.4.1.0": ".1.3.6.1.6.3.1.1.5.1",
".1.3.6.1.6.3.1.1.5.1": "coldStart trap from router"
},
"snmp.variables.count": 3,
"snmp.version": "2c"
},
"observed_timestamp": 1756958216990
}
SNMPv1 Enterprise-Specific Trap
Raw trap sent:
snmptrap -v 1 -c public <edge-delta-host> \
1.3.6.1.4.1.9 192.168.1.1 6 33 100 \
1.3.6.1.2.1.2.2.1.1 i 1
Processed data item in pipeline:
{
"_type": "log",
"timestamp": 1756958229890,
"body": "SNMP trap enterpriseSpecific from 10.244.0.20",
"resource": {
"ed.source.name": "snmp_trap_receiver",
"ed.source.type": "snmp_trap_input",
"host.ip": "172.19.0.2",
"host.name": "edge-delta-agent",
"service.name": ""
},
"attributes": {
"network.peer.ip": "10.244.0.20",
"snmp.agent.address": "192.168.1.1",
"snmp.enterprise_oid": ".1.3.6.1.4.1.9",
"snmp.generic_trap": 6,
"snmp.generic_trap_name": "enterpriseSpecific",
"snmp.pdu.type": "Trap",
"snmp.specific_trap": 33,
"snmp.trap_oid": ".1.3.6.1.4.1.9.0.33",
"snmp.varbinds": {
".1.3.6.1.2.1.2.2.1.1": 1
},
"snmp.variables.count": 1,
"snmp.version": "1"
},
"observed_timestamp": 1756958229910
}
Temperature Alert Trap
Raw trap sent:
snmptrap -v 2c -c public <edge-delta-host> '' \
1.3.6.1.4.1.9.9.13.1.3.0.2 \
1.3.6.1.4.1.9.9.13.1.3.0.2 s "Temperature threshold exceeded: 85C"
Processed data item in pipeline:
{
"_type": "log",
"timestamp": 1756958222627,
"body": "SNMP 2c trap from 10.244.0.20",
"resource": {
"ed.source.name": "snmp_trap_receiver",
"ed.source.type": "snmp_trap_input",
"host.ip": "172.19.0.2",
"host.name": "edge-delta-agent",
"service.name": ""
},
"attributes": {
"network.peer.ip": "10.244.0.20",
"snmp.pdu.type": "SNMPv2Trap",
"snmp.request.id": 786929287,
"snmp.varbinds": {
".1.3.6.1.2.1.1.3.0": {
"centiseconds": 3522935,
"duration": "9h47m9.35s",
"seconds": 35229.35
},
".1.3.6.1.4.1.9.9.13.1.3.0.2": "Temperature threshold exceeded: 85C",
".1.3.6.1.6.3.1.1.4.1.0": ".1.3.6.1.4.1.9.9.13.1.3.0.2"
},
"snmp.variables.count": 3,
"snmp.version": "2c"
},
"observed_timestamp": 1756958222650
}
Required Parameters
name
A descriptive name for the node. This is the name that will appear in pipeline builder and you can reference this node in the YAML using the name. It must be unique across all nodes. It is a YAML list element so it begins with a - and a space followed by the string. It is a required parameter for all nodes.
nodes:
- name: <node name>
type: <node type>
type: snmp_trap_input
The type parameter specifies the type of node being configured. It is specified as a string from a closed list of node types. It is a required parameter.
nodes:
- name: <node name>
type: <node type>
Optional Parameters
port
The port parameter specifies the UDP port to listen on for incoming SNMP traps. The standard SNMP trap port is 162, but this requires elevated privileges. Common alternative ports include 1162 for unprivileged operation. If not specified, the node uses its default port configuration.
It is specified as an integer and is optional.
nodes:
- name: <node name>
type: snmp_trap_input
port: 1162
listen
The listen parameter specifies the IP address to bind to for listening. Use “0.0.0.0” to listen on all network interfaces, or specify a particular IP address to restrict trap reception to a specific interface. Default is “0.0.0.0”.
It is specified as a string and is optional.
nodes:
- name: <node name>
type: snmp_trap_input
listen: "0.0.0.0"
transport
The transport parameter specifies the transport protocol for receiving traps. SNMP traps are always sent via UDP according to the SNMP specification. This parameter defaults to “udp” and should not be changed.
It is specified as a string and is optional.
nodes:
- name: <node name>
type: snmp_trap_input
transport: udp
community
The community parameter specifies the SNMP community string to validate incoming traps. If set, only traps with matching community strings will be accepted. If not specified, traps with any community string are accepted. This provides basic authentication for trap sources.
It is specified as a string and is optional.
nodes:
- name: <node name>
type: snmp_trap_input
community: "public"
source_metadata
The source_metadata parameter is used to define which detected resources and attributes to add to each data item as it is ingested by the Edge Delta agent. In the GUI you can select:
- Required Only: This option includes the minimum required resources and attributes for Edge Delta to operate.
- Default: This option includes the required resources and attributes plus those selected by Edge Delta
- High: This option includes the required resources and attributes along with a larger selection of common optional fields.
- Custom: With this option selected, you can choose which attributes and resources to include. The required fields are selected by default and can’t be unchecked.
Based on your selection in the GUI, the source_metadata YAML is populated as two dictionaries (resource_attributes and attributes) with Boolean values.
See Choose Data Item Metadata for more information on selecting metadata.
Configuring SNMP Trap Sources
Cisco IOS/IOS-XE Configuration
Configure Cisco devices to send SNMP traps to Edge Delta. The snmp-server host command specifies the trap destination, while snmp-server enable traps controls which trap types are sent.
snmp-server host <edge-delta-host> version 2c public udp-port 1162
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
snmp-server enable traps envmon fan shutdown supply temperature status
snmp-server enable traps cpu threshold
snmp-server enable traps memory bufferpeak
snmp-server enable traps config
This configuration sends authentication, environmental, CPU, memory, and configuration change traps to Edge Delta. The traps use SNMPv2c format with the “public” community string.
Juniper Junos Configuration
Configure Juniper devices to forward SNMP traps for system events and chassis alarms. The trap-group defines the destination and trap categories, while trap-options controls which specific events generate traps.
set snmp trap-group edge-delta version v2
set snmp trap-group edge-delta targets <edge-delta-host> port 1162
set snmp trap-group edge-delta categories authentication
set snmp trap-group edge-delta categories chassis
set snmp trap-group edge-delta categories link
set snmp trap-group edge-delta categories remote-operations
set snmp trap-options source-address lo0
Linux Net-SNMP Configuration
Configure Linux systems to send traps using snmpd and snmptrapd. The configuration enables standard system traps and custom application traps.
# /etc/snmp/snmpd.conf
trap2sink <edge-delta-host>:1162 public
authtrapenable 1
linkUpDownNotifications yes
defaultMonitors yes
After configuration, restart snmpd:
sudo systemctl restart snmpd
To send custom traps from applications or scripts:
# Send a custom application trap
snmptrap -v 2c -c public <edge-delta-host>:1162 '' \
1.3.6.1.4.1.YOUR_ENTERPRISE_OID.1.1 \
1.3.6.1.4.1.YOUR_ENTERPRISE_OID.1.1.1 s "Application error occurred" \
1.3.6.1.4.1.YOUR_ENTERPRISE_OID.1.1.2 i 500
VMware ESXi Configuration
Configure ESXi hosts to send SNMP traps for hardware and virtual machine events:
# Enable SNMP
esxcli system snmp set --enable true
# Configure trap destination
esxcli system snmp set --targets <edge-delta-host>@1162/public
# Set community string
esxcli system snmp set --communities public
# Enable specific trap types
esxcli system snmp set --hwsrc sensors
esxcli system snmp set --loglevel info
Windows SNMP Service
Configure Windows Server to send SNMP traps:
- Install SNMP Service via Server Manager or PowerShell:
Install-WindowsFeature SNMP-Service -IncludeManagementTools
- Configure trap destination via Registry or PowerShell:
# Add trap destination
New-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\SNMP\Parameters\TrapConfiguration\public" `
-Name "1" -Value "<edge-delta-host>:1162" -PropertyType String
# Restart service
Restart-Service SNMP
Application Integration
Python with pysnmp
Send custom traps from Python applications:
from pysnmp.hlapi import *
from pysnmp.proto import rfc1902
def send_trap(message, severity):
error_indication, error_status, error_index, var_binds = next(
sendNotification(
SnmpEngine(),
CommunityData('public'),
UdpTransportTarget(('<edge-delta-host>', 1162)),
ContextData(),
'trap',
NotificationType(
ObjectIdentity('1.3.6.1.4.1.YOUR_OID.1.1')
).addVarBinds(
('1.3.6.1.4.1.YOUR_OID.1.1.1', OctetString(message)),
('1.3.6.1.4.1.YOUR_OID.1.1.2', Integer32(severity))
)
)
)
if error_indication:
print(f'Trap failed: {error_indication}')
# Usage
send_trap("Database connection pool exhausted", 3)
send_trap("Backup completed successfully", 6)
Java with SNMP4J
Send traps from Java applications:
import org.snmp4j.*;
import org.snmp4j.mp.*;
import org.snmp4j.smi.*;
import org.snmp4j.transport.*;
public class TrapSender {
public static void sendTrap(String message) throws IOException {
TransportMapping transport = new DefaultUdpTransportMapping();
Snmp snmp = new Snmp(transport);
transport.listen();
CommunityTarget target = new CommunityTarget();
target.setCommunity(new OctetString("public"));
target.setAddress(new UdpAddress("<edge-delta-host>/1162"));
target.setVersion(SnmpConstants.version2c);
PDU pdu = new PDU();
pdu.setType(PDU.TRAP);
pdu.add(new VariableBinding(SnmpConstants.sysUpTime,
new TimeTicks(System.currentTimeMillis() / 10)));
pdu.add(new VariableBinding(SnmpConstants.snmpTrapOID,
new OID("1.3.6.1.4.1.YOUR_OID.1.1")));
pdu.add(new VariableBinding(new OID("1.3.6.1.4.1.YOUR_OID.1.1.1"),
new OctetString(message)));
snmp.send(pdu, target);
snmp.close();
}
}
Testing SNMP Trap Configuration
After configuring your devices, test trap delivery using these methods:
Using snmptrap Command
# Test SNMPv2c trap
snmptrap -v 2c -c public <edge-delta-host>:1162 '' \
1.3.6.1.6.3.1.1.5.3 \
1.3.6.1.6.3.1.1.5.3 s "Test trap from $(hostname)"
# Test SNMPv1 trap
snmptrap -v 1 -c public <edge-delta-host>:1162 \
1.3.6.1.4.1.9 $(hostname -I | awk '{print $1}') 6 1 '' \
1.3.6.1.2.1.1.5.0 s $(hostname)
Verify Receipt
Check Edge Delta Live Capture to confirm traps are being received and parsed correctly. Look for:
- Correct source IP in
network.peer.ip - Proper trap type identification
- Complete varbind extraction
- Accurate timestamp processing
Best Practices
Port Selection
When configuring the SNMP Trap source node, consider port accessibility and security requirements. The standard SNMP trap port 162 requires root or administrative privileges, which may not be available in containerized deployments or restricted environments. Using port 1162 or another port above 1024 allows the Edge Delta agent to run without elevated privileges while maintaining compatibility with most SNMP trap senders that support custom port configuration.
Security Considerations
SNMP traps are transmitted in clear text without encryption, making them vulnerable to interception and spoofing. While community strings provide basic authentication, they are also sent unencrypted and should not be considered secure. Implement network segmentation to isolate SNMP traffic from untrusted networks, and use firewall rules to restrict which devices can send traps to your Edge Delta agents. For sensitive environments, consider using dedicated VLANs or VPNs for SNMP traffic. Monitor for unusual trap patterns that might indicate spoofing attempts or compromised devices.
Trap Filtering and Processing
Not all SNMP traps require the same level of attention or retention. Configure your source devices to send only relevant traps to reduce noise and processing overhead. Use Edge Delta processors to filter, enrich, or route traps based on their type, severity, or source. For example, you might route critical hardware failure traps to immediate alerting while aggregating informational traps for trend analysis. Consider implementing rate limiting for high-volume trap sources to prevent overwhelming your pipeline during network events or misconfigurations.
Performance Optimization
SNMP traps use UDP for transport, which provides low overhead but no delivery guarantee. During high-volume events like network outages, trap storms can occur where devices send thousands of traps simultaneously. Configure appropriate buffer sizes in your Edge Delta agent to handle burst traffic without drops. Monitor the snmp.variables.count attribute to identify complex traps that might impact processing performance. For environments with numerous trap sources, consider deploying multiple Edge Delta agents and using anycast or load balancing to distribute the trap processing load.
Varbind Processing
SNMP traps contain variable bindings (varbinds) that carry the actual event data. These are stored in the snmp.varbinds attribute as OID-value pairs. The OIDs are typically long numeric strings that require MIB files for human-readable translation. Consider using OTTL functions or processors to map common OIDs to meaningful field names in your pipeline. For time-based values like uptime, Edge Delta automatically provides multiple formats (centiseconds, duration string, seconds) for flexibility in downstream processing.
Troubleshooting
Traps Not Received
If traps are not appearing in Live Capture, verify network connectivity between trap sources and the Edge Delta agent using ping or traceroute. Check firewall rules on both the source device and the Edge Delta host to ensure UDP traffic is allowed on the configured port. Confirm the Edge Delta agent has successfully started the SNMP trap listener by checking agent logs. Test with a simple snmptrap command from the same network segment to isolate network versus configuration issues.
Authentication Failures
When using community string validation, ensure the community string in your trap source configuration exactly matches the one configured in the Edge Delta node. Community strings are case-sensitive. Check device logs for authentication failure messages. If traps from some devices work but others don’t, verify all devices are configured with the correct community string.
Incomplete Varbind Data
If varbind data appears truncated or missing, check whether the trap source is sending complete information. Some devices may require additional configuration to include all relevant OIDs in their traps. Use packet capture tools like tcpdump or Wireshark to examine the raw trap packets and verify their content. Large traps with many varbinds may be fragmented at the network layer - ensure your network MTU settings accommodate the trap sizes.
Port Binding Issues
If the agent cannot bind to the specified port, verify no other process is using that port with netstat -uln | grep <port>. For ports below 1024, ensure the Edge Delta agent has appropriate privileges or switch to a higher port number. In Kubernetes environments, confirm the pod security context allows the specified port. Container runtime security policies may also restrict certain port ranges.