diff --git a/content/en/network_monitoring/devices/snmp_traps.md b/content/en/network_monitoring/devices/snmp_traps.md index 394341f8e91fc..58801c6c8d652 100644 --- a/content/en/network_monitoring/devices/snmp_traps.md +++ b/content/en/network_monitoring/devices/snmp_traps.md @@ -37,7 +37,7 @@ Datadog Agent v7.37+ supports listening for SNMP Traps, enabling you to set up [ authKey: myAuthKey authProtocol: "SHA" privKey: myPrivKey - privProtocol: "AES" + privProtocol: "AES" - user: "user" authKey: myAuthKey authProtocol: "MD5" @@ -52,6 +52,8 @@ Datadog Agent v7.37+ supports listening for SNMP Traps, enabling you to set up [ **Note**: Multiple v3 users and passwords are supported as of Datadog Agent `7.51` or higher. + **Note**: Ensure that your [firewall rules][7] allow incoming UDP traffic on the configured port. + 2. Once configured, SNMP traps are forwarded as logs and can be found in the [Log Explorer][2] with the following search query: `source:snmp-traps`. {{< img src="network_device_monitoring/snmp/snmp_logs_2.png" alt="Log Explorer showing `source:snmp-traps` with an SNMP Trap log line selected, highlighting the Network Device tag" style="width:90%" >}} @@ -88,9 +90,9 @@ Binding to a port number under 1024 requires elevated permissions. To bind to a As in [Network Device Monitoring][3], namespaces can be used as tags to differentiate between multiple network devices that may share the same private IP. For example, consider a case of two routers: one in New York and one in Paris, which share the same private IP. There should be one Agent in the New York data center and another in the Paris data center. You may wish to tag these with `namespace: nyc` and `namespace: paris`, respectively. -The namespace can then be used to uniquely pivot from an SNMP Trap to the emitter device, or from the emitter device to an SNMP Trap. +The namespace can then be used to uniquely pivot from an SNMP Trap to the emitter device, or from the emitter device to an SNMP Trap. -It is critical to have consistency between the multiple Agent configurations. For instance, if you have two Agents configured (for example, one for trap collection, and the other for metrics) you must ensure that the namespaces exist in both places. Alternatively, ensure that the namespaces exist in neither. +It is critical to have consistency between the multiple Agent configurations. For instance, if you have two Agents configured (for example, one for trap collection, and the other for metrics) you must ensure that the namespaces exist in both places. Alternatively, ensure that the namespaces exist in neither. ## Resolution @@ -175,3 +177,4 @@ If there are errors due to missing dependencies and you have access to the missi [4]: /developers/integrations/python [5]: https://pypi.org/project/pysmi/ [6]: /agent/configuration/agent-commands/#start-stop-and-restart-the-agent +[7]: /network_monitoring/devices/troubleshooting#traps-or-flows-not-being-received-at-all diff --git a/content/en/network_monitoring/devices/troubleshooting.md b/content/en/network_monitoring/devices/troubleshooting.md index 901804057def6..a9357615ed79f 100644 --- a/content/en/network_monitoring/devices/troubleshooting.md +++ b/content/en/network_monitoring/devices/troubleshooting.md @@ -145,6 +145,58 @@ If you see a permission denied error while port binding in agent logs, the port - privKey - privProtocol +### Traps or Flows not being received at all + +If SNMP traps or NetFlow traffic are missing, a common cause is firewall rules blocking UDP packets before they reach the Agent. Both SNMP traps and NetFlow rely on UDP and use the ports defined in your [datadog.yaml][9] configuration. + +Use the following platform-specific commands to check for firewall rules that may be blocking the traffic from reaching the Agent. + +#### Linux + +Linux has multiple types of firewall such as `iptables`, `nftables`, or `ufw`. Depending on which one is in use, the following commands can be used: + +- `sudo iptables -S` + +- `sudo nft list ruleset` + +- `sudo ufw status` + +Check for rules blocking UDP traffic on the configured ports. + +#### Windows + +The Agent's `datadog-agent diagnose` command automatically checks for blocking firewall rules and displays warnings if any are found. + +To manually inspect firewall rules: + +```powershell +Get-NetFirewallRule -Action Block | ForEach-Object { + $rule = $_ + Get-NetFirewallPortFilter -AssociatedNetFirewallRule $rule | Select-Object + @{Name="Name"; Expression={$rule.Name}}, + @{Name="DisplayName"; Expression={'"' + $rule.DisplayName + '"'}}, + @{Name="Direction"; Expression={$rule.Direction}}, + @{Name="Protocol"; Expression={$_.Protocol}}, + @{Name="LocalPort"; Expression={$_.LocalPort}}, + @{Name="RemotePort"; Expression={$_.RemotePort}} +} | Format-Table -AutoSize +``` + +Look for rules where: +- **Direction** is Inbound +- **Protocol** is UDP +- **LocalPort** matches one of your configured ports + +#### macOS + +Run the following command to review packet filter (pf) rules: + +```shell +sudo pfctl -sr +``` + +Check for any rules blocking UDP traffic on your configured ports, e.g. `block drop in proto udp from any to any port = `. + ### Traps not being received for devices 1. Check the Datadog `agent.log` file to ensure that you can bind to the traps port. The following error indicates that you are unable to bind to the traps port: @@ -218,4 +270,5 @@ If you see a permission denied error while port binding in agent logs, the port [5]: /api/latest/network-device-monitoring/#get-the-list-of-interfaces-of-the-device [6]: /api/latest/network-device-monitoring/#get-the-list-of-tags-for-a-device [7]: /api/latest/network-device-monitoring/#update-the-tags-for-a-device -[8]: /network_monitoring/devices/snmp_traps/#using-the-default-snmp-trap-port-162 \ No newline at end of file +[8]: /network_monitoring/devices/snmp_traps/#using-the-default-snmp-trap-port-162 +[9]: /agent/configuration/agent-configuration-files/?tab=agentv6v7#agent-main-configuration-file diff --git a/content/en/network_monitoring/netflow/_index.md b/content/en/network_monitoring/netflow/_index.md index bff28b9a1d2ee..269aa8d85d567 100644 --- a/content/en/network_monitoring/netflow/_index.md +++ b/content/en/network_monitoring/netflow/_index.md @@ -51,6 +51,8 @@ network_devices: After saving your changes, [restart the Agent][4]. +**Note**: Ensure that your [firewall rules][9] allow incoming UDP traffic on the configured ports. + ## Aggregation The Datadog Agent automatically aggregates the data received into NetFlow to limit the number of records sent to the platform while maintaining most of the information. By default, flow recordings that have the same identifiers, such as `source`, `destination address`, `port`, and `protocol`, are aggregated together in five minute intervals. Additionally, the Datadog Agent can detect ephemeral ports and remove them. As a result, you may see Flows with `port:*`. @@ -87,7 +89,7 @@ Enable Reverse DNS private IP enrichment to perform DNS lookups for hostnames as By [default][7], the Reverse DNS IP enrichment in your `datadog.yaml` file is disabled. To enable, see the [Configuration](#configuration) section of this page. -Search for **DNS** in the Flow grouping of the facets section to locate flows associated with Reverse DNS IP enrichment: +Search for **DNS** in the Flow grouping of the facets section to locate flows associated with Reverse DNS IP enrichment: {{< img src="network_device_monitoring/netflow/dns_ip_enrichment.png" alt="Screenshot of the reverse DNS destination and source facets" width="100%" >}} @@ -283,3 +285,4 @@ Use the `netstat -s` command to see if there are any dropped UDP packets: [6]: /monitors/types/netflow/ [7]: https://github.com/DataDog/datadog-agent/blob/f6ae461a7d22aaf398de5a94d9330694d69560d6/pkg/config/config_template.yaml#L4201 [8]: https://github.com/DataDog/datadog-agent/blob/f6ae461a7d22aaf398de5a94d9330694d69560d6/pkg/config/config_template.yaml#L4203-L4275 +[9]: /network_monitoring/devices/troubleshooting#traps-or-flows-not-being-received-at-all