Edge Delta SNMP Trap Source

Receive and process SNMP trap notifications from network devices, servers, and infrastructure components.

Overview

The SNMP Trap source node enables Edge Delta to receive and process SNMP trap notifications sent from network devices, servers, applications, and infrastructure components. It acts as a trap receiver (trap daemon) that listens for unsolicited SNMP notifications over UDP, supporting both SNMPv1 and SNMPv2c trap formats. This allows you to capture real-time alerts and events from your entire infrastructure without actively polling devices. Unlike the SNMP Pull source which actively polls devices at intervals, SNMP Trap passively receives notifications when devices detect events.

  • outgoing_data_types: log

The SNMP Trap source node is ideal for:

  • Network Device Monitoring: Receive alerts from routers, switches, firewalls, and wireless controllers
  • Infrastructure Alerting: Capture temperature, power, and hardware failure notifications
  • Application Event Collection: Gather custom traps from SNMP-enabled applications
  • Security Event Monitoring: Collect authentication failures and security violations
  • Environmental Monitoring: Receive alerts from UPS systems, cooling units, and sensors

Field Mapping

The SNMP Trap source node extracts and maps the following fields from incoming trap messages:

SNMP Field Attribute Name Description
Version snmp.version SNMP version (1 or 2c)
PDU Type snmp.pdu.type Protocol Data Unit type (Trap, SNMPv2Trap)
Source IP network.peer.ip IP address of the trap sender
Variables snmp.varbinds Variable bindings as OID-value pairs
Variable Count snmp.variables.count Number of variables in the trap
Request ID snmp.request.id Request identifier (v2c only)
Enterprise OID snmp.enterprise_oid Enterprise identifier (v1 only)
Generic Trap snmp.generic_trap Generic trap type number (v1 only)
Generic Trap Name snmp.generic_trap_name Human-readable trap type (v1 only)
Specific Trap snmp.specific_trap Enterprise-specific trap number (v1 only)
Agent Address snmp.agent.address Agent IP address (v1 only)
Trap OID snmp.trap_oid Combined trap identifier (v1 only)

Trap Type Mapping

SNMPv1 generic trap types are automatically mapped to descriptive names:

Generic Trap Name Description
0 coldStart Agent reinitialized with configuration changes
1 warmStart Agent reinitialized without configuration changes
2 linkDown Network interface went down
3 linkUp Network interface came up
4 authenticationFailure Authentication attempt failed
5 egpNeighborLoss EGP neighbor relationship lost
6 enterpriseSpecific Vendor-specific trap

Example Configurations

Basic Configuration

This minimal configuration uses all default settings to receive SNMP traps. The node automatically listens on the standard SNMP trap port and accepts traps from any source.

nodes:
- name: snmp_trap_receiver
  type: snmp_trap_input

Custom Port Configuration

For environments where the standard trap port is unavailable or when running without elevated privileges, specify a custom port above 1024.

nodes:
- name: snmp_trap_custom_port
  type: snmp_trap_input
  port: 1162
  listen: "0.0.0.0"
  transport: udp

Advanced Configuration with Community String

This configuration demonstrates advanced options including community string validation and specific network interface binding.

nodes:
- name: snmp_trap_secure
  type: snmp_trap_input
  port: 162
  listen: "10.0.0.100"
  transport: udp
  community: "secret-community"
  source_metadata: true

Example Output

When SNMP traps are received, they are parsed and converted into structured log items. Below are examples showing the raw trap sent and the resulting processed data item.

SNMPv2c Cold Start Trap

Raw trap sent:

snmptrap -v 2c -c public <edge-delta-host> '' \
  1.3.6.1.6.3.1.1.5.1 \
  1.3.6.1.6.3.1.1.5.1 s "coldStart trap from router"

Processed data item in pipeline:

{
  "_type": "log",
  "timestamp": 1756958216967,
  "body": "SNMP 2c trap from 10.244.0.20",
  "resource": {
    "ed.source.name": "snmp_trap_receiver",
    "ed.source.type": "snmp_trap_input",
    "host.ip": "172.19.0.2",
    "host.name": "edge-delta-agent",
    "service.name": ""
  },
  "attributes": {
    "network.peer.ip": "10.244.0.20",
    "snmp.pdu.type": "SNMPv2Trap",
    "snmp.request.id": 2112302011,
    "snmp.varbinds": {
      ".1.3.6.1.2.1.1.3.0": {
        "centiseconds": 3522368,
        "duration": "9h47m3.68s",
        "seconds": 35223.68
      },
      ".1.3.6.1.6.3.1.1.4.1.0": ".1.3.6.1.6.3.1.1.5.1",
      ".1.3.6.1.6.3.1.1.5.1": "coldStart trap from router"
    },
    "snmp.variables.count": 3,
    "snmp.version": "2c"
  },
  "observed_timestamp": 1756958216990
}

SNMPv1 Enterprise-Specific Trap

Raw trap sent:

snmptrap -v 1 -c public <edge-delta-host> \
  1.3.6.1.4.1.9 192.168.1.1 6 33 100 \
  1.3.6.1.2.1.2.2.1.1 i 1

Processed data item in pipeline:

{
  "_type": "log",
  "timestamp": 1756958229890,
  "body": "SNMP trap enterpriseSpecific from 10.244.0.20",
  "resource": {
    "ed.source.name": "snmp_trap_receiver",
    "ed.source.type": "snmp_trap_input",
    "host.ip": "172.19.0.2",
    "host.name": "edge-delta-agent",
    "service.name": ""
  },
  "attributes": {
    "network.peer.ip": "10.244.0.20",
    "snmp.agent.address": "192.168.1.1",
    "snmp.enterprise_oid": ".1.3.6.1.4.1.9",
    "snmp.generic_trap": 6,
    "snmp.generic_trap_name": "enterpriseSpecific",
    "snmp.pdu.type": "Trap",
    "snmp.specific_trap": 33,
    "snmp.trap_oid": ".1.3.6.1.4.1.9.0.33",
    "snmp.varbinds": {
      ".1.3.6.1.2.1.2.2.1.1": 1
    },
    "snmp.variables.count": 1,
    "snmp.version": "1"
  },
  "observed_timestamp": 1756958229910
}

Temperature Alert Trap

Raw trap sent:

snmptrap -v 2c -c public <edge-delta-host> '' \
  1.3.6.1.4.1.9.9.13.1.3.0.2 \
  1.3.6.1.4.1.9.9.13.1.3.0.2 s "Temperature threshold exceeded: 85C"

Processed data item in pipeline:

{
  "_type": "log",
  "timestamp": 1756958222627,
  "body": "SNMP 2c trap from 10.244.0.20",
  "resource": {
    "ed.source.name": "snmp_trap_receiver",
    "ed.source.type": "snmp_trap_input",
    "host.ip": "172.19.0.2",
    "host.name": "edge-delta-agent",
    "service.name": ""
  },
  "attributes": {
    "network.peer.ip": "10.244.0.20",
    "snmp.pdu.type": "SNMPv2Trap",
    "snmp.request.id": 786929287,
    "snmp.varbinds": {
      ".1.3.6.1.2.1.1.3.0": {
        "centiseconds": 3522935,
        "duration": "9h47m9.35s",
        "seconds": 35229.35
      },
      ".1.3.6.1.4.1.9.9.13.1.3.0.2": "Temperature threshold exceeded: 85C",
      ".1.3.6.1.6.3.1.1.4.1.0": ".1.3.6.1.4.1.9.9.13.1.3.0.2"
    },
    "snmp.variables.count": 3,
    "snmp.version": "2c"
  },
  "observed_timestamp": 1756958222650
}

Required Parameters

name

A descriptive name for the node. This is the name that will appear in pipeline builder and you can reference this node in the YAML using the name. It must be unique across all nodes. It is a YAML list element so it begins with a - and a space followed by the string. It is a required parameter for all nodes.

nodes:
  - name: <node name>
    type: <node type>

type: snmp_trap_input

The type parameter specifies the type of node being configured. It is specified as a string from a closed list of node types. It is a required parameter.

nodes:
  - name: <node name>
    type: <node type>

Optional Parameters

port

The port parameter specifies the UDP port to listen on for incoming SNMP traps. The standard SNMP trap port is 162, but this requires elevated privileges. Common alternative ports include 1162 for unprivileged operation. If not specified, the node uses its default port configuration.

It is specified as an integer and is optional.

nodes:
  - name: <node name>
    type: snmp_trap_input
    port: 1162

listen

The listen parameter specifies the IP address to bind to for listening. Use “0.0.0.0” to listen on all network interfaces, or specify a particular IP address to restrict trap reception to a specific interface. Default is “0.0.0.0”.

It is specified as a string and is optional.

nodes:
  - name: <node name>
    type: snmp_trap_input
    listen: "0.0.0.0"

transport

The transport parameter specifies the transport protocol for receiving traps. SNMP traps are always sent via UDP according to the SNMP specification. This parameter defaults to “udp” and should not be changed.

It is specified as a string and is optional.

nodes:
  - name: <node name>
    type: snmp_trap_input
    transport: udp

community

The community parameter specifies the SNMP community string to validate incoming traps. If set, only traps with matching community strings will be accepted. If not specified, traps with any community string are accepted. This provides basic authentication for trap sources.

It is specified as a string and is optional.

nodes:
  - name: <node name>
    type: snmp_trap_input
    community: "public"

source_metadata

The source_metadata parameter is used to define which detected resources and attributes to add to each data item as it is ingested by the Edge Delta agent. In the GUI you can select:

  • Required Only: This option includes the minimum required resources and attributes for Edge Delta to operate.
  • Default: This option includes the required resources and attributes plus those selected by Edge Delta
  • High: This option includes the required resources and attributes along with a larger selection of common optional fields.
  • Custom: With this option selected, you can choose which attributes and resources to include. The required fields are selected by default and can’t be unchecked.

Based on your selection in the GUI, the source_metadata YAML is populated as two dictionaries (resource_attributes and attributes) with Boolean values.

See Choose Data Item Metadata for more information on selecting metadata.

Configuring SNMP Trap Sources

Cisco IOS/IOS-XE Configuration

Configure Cisco devices to send SNMP traps to Edge Delta. The snmp-server host command specifies the trap destination, while snmp-server enable traps controls which trap types are sent.

snmp-server host <edge-delta-host> version 2c public udp-port 1162
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
snmp-server enable traps envmon fan shutdown supply temperature status
snmp-server enable traps cpu threshold
snmp-server enable traps memory bufferpeak
snmp-server enable traps config

This configuration sends authentication, environmental, CPU, memory, and configuration change traps to Edge Delta. The traps use SNMPv2c format with the “public” community string.

Juniper Junos Configuration

Configure Juniper devices to forward SNMP traps for system events and chassis alarms. The trap-group defines the destination and trap categories, while trap-options controls which specific events generate traps.

set snmp trap-group edge-delta version v2
set snmp trap-group edge-delta targets <edge-delta-host> port 1162
set snmp trap-group edge-delta categories authentication
set snmp trap-group edge-delta categories chassis
set snmp trap-group edge-delta categories link
set snmp trap-group edge-delta categories remote-operations
set snmp trap-options source-address lo0

Linux Net-SNMP Configuration

Configure Linux systems to send traps using snmpd and snmptrapd. The configuration enables standard system traps and custom application traps.

# /etc/snmp/snmpd.conf
trap2sink <edge-delta-host>:1162 public
authtrapenable 1
linkUpDownNotifications yes
defaultMonitors yes

After configuration, restart snmpd:

sudo systemctl restart snmpd

To send custom traps from applications or scripts:

# Send a custom application trap
snmptrap -v 2c -c public <edge-delta-host>:1162 '' \
  1.3.6.1.4.1.YOUR_ENTERPRISE_OID.1.1 \
  1.3.6.1.4.1.YOUR_ENTERPRISE_OID.1.1.1 s "Application error occurred" \
  1.3.6.1.4.1.YOUR_ENTERPRISE_OID.1.1.2 i 500

VMware ESXi Configuration

Configure ESXi hosts to send SNMP traps for hardware and virtual machine events:

# Enable SNMP
esxcli system snmp set --enable true

# Configure trap destination
esxcli system snmp set --targets <edge-delta-host>@1162/public

# Set community string
esxcli system snmp set --communities public

# Enable specific trap types
esxcli system snmp set --hwsrc sensors
esxcli system snmp set --loglevel info

Windows SNMP Service

Configure Windows Server to send SNMP traps:

  1. Install SNMP Service via Server Manager or PowerShell:
Install-WindowsFeature SNMP-Service -IncludeManagementTools
  1. Configure trap destination via Registry or PowerShell:
# Add trap destination
New-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\SNMP\Parameters\TrapConfiguration\public" `
  -Name "1" -Value "<edge-delta-host>:1162" -PropertyType String

# Restart service
Restart-Service SNMP

Application Integration

Python with pysnmp

Send custom traps from Python applications:

from pysnmp.hlapi import *
from pysnmp.proto import rfc1902

def send_trap(message, severity):
    error_indication, error_status, error_index, var_binds = next(
        sendNotification(
            SnmpEngine(),
            CommunityData('public'),
            UdpTransportTarget(('<edge-delta-host>', 1162)),
            ContextData(),
            'trap',
            NotificationType(
                ObjectIdentity('1.3.6.1.4.1.YOUR_OID.1.1')
            ).addVarBinds(
                ('1.3.6.1.4.1.YOUR_OID.1.1.1', OctetString(message)),
                ('1.3.6.1.4.1.YOUR_OID.1.1.2', Integer32(severity))
            )
        )
    )
    
    if error_indication:
        print(f'Trap failed: {error_indication}')

# Usage
send_trap("Database connection pool exhausted", 3)
send_trap("Backup completed successfully", 6)

Java with SNMP4J

Send traps from Java applications:

import org.snmp4j.*;
import org.snmp4j.mp.*;
import org.snmp4j.smi.*;
import org.snmp4j.transport.*;

public class TrapSender {
    public static void sendTrap(String message) throws IOException {
        TransportMapping transport = new DefaultUdpTransportMapping();
        Snmp snmp = new Snmp(transport);
        transport.listen();
        
        CommunityTarget target = new CommunityTarget();
        target.setCommunity(new OctetString("public"));
        target.setAddress(new UdpAddress("<edge-delta-host>/1162"));
        target.setVersion(SnmpConstants.version2c);
        
        PDU pdu = new PDU();
        pdu.setType(PDU.TRAP);
        pdu.add(new VariableBinding(SnmpConstants.sysUpTime, 
            new TimeTicks(System.currentTimeMillis() / 10)));
        pdu.add(new VariableBinding(SnmpConstants.snmpTrapOID, 
            new OID("1.3.6.1.4.1.YOUR_OID.1.1")));
        pdu.add(new VariableBinding(new OID("1.3.6.1.4.1.YOUR_OID.1.1.1"), 
            new OctetString(message)));
        
        snmp.send(pdu, target);
        snmp.close();
    }
}

Testing SNMP Trap Configuration

After configuring your devices, test trap delivery using these methods:

Using snmptrap Command

# Test SNMPv2c trap
snmptrap -v 2c -c public <edge-delta-host>:1162 '' \
  1.3.6.1.6.3.1.1.5.3 \
  1.3.6.1.6.3.1.1.5.3 s "Test trap from $(hostname)"

# Test SNMPv1 trap
snmptrap -v 1 -c public <edge-delta-host>:1162 \
  1.3.6.1.4.1.9 $(hostname -I | awk '{print $1}') 6 1 '' \
  1.3.6.1.2.1.1.5.0 s $(hostname)

Verify Receipt

Check Edge Delta Live Capture to confirm traps are being received and parsed correctly. Look for:

  • Correct source IP in network.peer.ip
  • Proper trap type identification
  • Complete varbind extraction
  • Accurate timestamp processing

Best Practices

Port Selection

When configuring the SNMP Trap source node, consider port accessibility and security requirements. The standard SNMP trap port 162 requires root or administrative privileges, which may not be available in containerized deployments or restricted environments. Using port 1162 or another port above 1024 allows the Edge Delta agent to run without elevated privileges while maintaining compatibility with most SNMP trap senders that support custom port configuration.

Security Considerations

SNMP traps are transmitted in clear text without encryption, making them vulnerable to interception and spoofing. While community strings provide basic authentication, they are also sent unencrypted and should not be considered secure. Implement network segmentation to isolate SNMP traffic from untrusted networks, and use firewall rules to restrict which devices can send traps to your Edge Delta agents. For sensitive environments, consider using dedicated VLANs or VPNs for SNMP traffic. Monitor for unusual trap patterns that might indicate spoofing attempts or compromised devices.

Trap Filtering and Processing

Not all SNMP traps require the same level of attention or retention. Configure your source devices to send only relevant traps to reduce noise and processing overhead. Use Edge Delta processors to filter, enrich, or route traps based on their type, severity, or source. For example, you might route critical hardware failure traps to immediate alerting while aggregating informational traps for trend analysis. Consider implementing rate limiting for high-volume trap sources to prevent overwhelming your pipeline during network events or misconfigurations.

Performance Optimization

SNMP traps use UDP for transport, which provides low overhead but no delivery guarantee. During high-volume events like network outages, trap storms can occur where devices send thousands of traps simultaneously. Configure appropriate buffer sizes in your Edge Delta agent to handle burst traffic without drops. Monitor the snmp.variables.count attribute to identify complex traps that might impact processing performance. For environments with numerous trap sources, consider deploying multiple Edge Delta agents and using anycast or load balancing to distribute the trap processing load.

Varbind Processing

SNMP traps contain variable bindings (varbinds) that carry the actual event data. These are stored in the snmp.varbinds attribute as OID-value pairs. The OIDs are typically long numeric strings that require MIB files for human-readable translation. Consider using OTTL functions or processors to map common OIDs to meaningful field names in your pipeline. For time-based values like uptime, Edge Delta automatically provides multiple formats (centiseconds, duration string, seconds) for flexibility in downstream processing.

Troubleshooting

Traps Not Received

If traps are not appearing in Live Capture, verify network connectivity between trap sources and the Edge Delta agent using ping or traceroute. Check firewall rules on both the source device and the Edge Delta host to ensure UDP traffic is allowed on the configured port. Confirm the Edge Delta agent has successfully started the SNMP trap listener by checking agent logs. Test with a simple snmptrap command from the same network segment to isolate network versus configuration issues.

Authentication Failures

When using community string validation, ensure the community string in your trap source configuration exactly matches the one configured in the Edge Delta node. Community strings are case-sensitive. Check device logs for authentication failure messages. If traps from some devices work but others don’t, verify all devices are configured with the correct community string.

Incomplete Varbind Data

If varbind data appears truncated or missing, check whether the trap source is sending complete information. Some devices may require additional configuration to include all relevant OIDs in their traps. Use packet capture tools like tcpdump or Wireshark to examine the raw trap packets and verify their content. Large traps with many varbinds may be fragmented at the network layer - ensure your network MTU settings accommodate the trap sizes.

Port Binding Issues

If the agent cannot bind to the specified port, verify no other process is using that port with netstat -uln | grep <port>. For ports below 1024, ensure the Edge Delta agent has appropriate privileges or switch to a higher port number. In Kubernetes environments, confirm the pod security context allows the specified port. Container runtime security policies may also restrict certain port ranges.