Solved: SNMP interaction logging

Thomas Ramsey · ‎05-15-2025

If I access a Cisco device (switch, router, firewall, WAP, etc) that is configured to respond to SNMP queries is there anyway to know or to "trap" when the device responds to a query? For example, I query for device uptime. Is there any (or can there be a) reflex from the device to record that query, transmit a syslog, or "trap" on the query the date, time, and IP of the device that queried said device?

I've previously only ever really had to configure SNMP on Cisco devices. I've never been involved with the querying of said devices. I know there are programs like SNMPc or Solarwinds that can actually do queries to the devices or receive the traps from them. My initial Google-Fu and interactions with GenAi keep getting distracted with providing setup instructions.

marce1000 · ‎05-15-2025

- No , that is not possible, the idea is that SNMP will always remain authorized by configuring strong communities, snmpv3 , ACL's for restricting snmp access , firewalling...

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

View solution in original post

Joseph W. Doherty · ‎05-15-2025

@Thomas Ramsey wrote:

Vaguely, I though maybe you could use a "permit all" ACL that is set to log the ACL use and then apply it SNMP. You probably then can tell what IPs / devices are using SNMP. But, you won't know what the query was.

And I suppose, you could maybe do something like - i dunno - maybe setup a SPAN session and then have some IDS or Splunk or something record the SNMP traffic to catalogue the raw queries and replies for future consideration. Maybe some plugin or DPI could sift though and sort out the data. But, that's going way too deep into forensics. The hypothetical wasn't asking that.

The hypothetical was literally just: "Joe Bob uses SNMP to query a router" - is there any on-device logging or configurable telemetry to know what they queried for?

Which I'm now pretty confident in saying, the answer is no. And just protect SNMP by using v3 and applying and ACL.

Yup, that's pretty much sums up my thinking too.

View solution in original post

Thomas Ramsey · ‎05-15-2025

Just edited the OP because I read read it and recognized that I left out the Cisco device is configured for and responding to SNMP queries (leaving that out is confusing and bad).

marce1000 · ‎05-15-2025

- No , that is not possible, the idea is that SNMP will always remain authorized by configuring strong communities, snmpv3 , ACL's for restricting snmp access , firewalling...

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Thomas Ramsey · ‎05-15-2025

Thanks Marce - that's good info to know. I asked because a co-worker asked me this as hypothetical question. My first response was just to just say, "Only use v3" place and ACL on it - but, I was curious about the base case.

My inclination was to say, "no" myself. But, I've never really dabbled in how SNMP actually operates.

Joseph W. Doherty · ‎05-15-2025

Possibility (?) crude monitoring might be done using an EEM script watching for some stat to increment, that would reflect a SNMP query or even, if possible, EEM monitoring embedded packet capture. But if something like the foregoing is possible, it may not be possible to obtain the level of detail you seek.

I don't believe SNMP was ever envisioned providing such information itself. SNMP provides a protocol for network management communication, but doesn't, I believe, fully detail what data needs to be communicated. For example, a vendor device MIB often has vendor/device specific data.

Thomas Ramsey · ‎05-15-2025

Vaguely, I though maybe you could use a "permit all" ACL that is set to log the ACL use and then apply it SNMP. You probably then can tell what IPs / devices are using SNMP. But, you won't know what the query was.

And I suppose, you could maybe do something like - i dunno - maybe setup a SPAN session and then have some IDS or Splunk or something record the SNMP traffic to catalogue the raw queries and replies for future consideration. Maybe some plugin or DPI could sift though and sort out the data. But, that's going way too deep into forensics. The hypothetical wasn't asking that.

The hypothetical was literally just: "Joe Bob uses SNMP to query a router" - is there any on-device logging or configurable telemetry to know what they queried for?

Which I'm now pretty confident in saying, the answer is no. And just protect SNMP by using v3 and applying and ACL.

Joseph W. Doherty · ‎05-15-2025

@Thomas Ramsey wrote:

Vaguely, I though maybe you could use a "permit all" ACL that is set to log the ACL use and then apply it SNMP. You probably then can tell what IPs / devices are using SNMP. But, you won't know what the query was.

And I suppose, you could maybe do something like - i dunno - maybe setup a SPAN session and then have some IDS or Splunk or something record the SNMP traffic to catalogue the raw queries and replies for future consideration. Maybe some plugin or DPI could sift though and sort out the data. But, that's going way too deep into forensics. The hypothetical wasn't asking that.

The hypothetical was literally just: "Joe Bob uses SNMP to query a router" - is there any on-device logging or configurable telemetry to know what they queried for?

Which I'm now pretty confident in saying, the answer is no. And just protect SNMP by using v3 and applying and ACL.

Yup, that's pretty much sums up my thinking too.