Contents
Using SNMP for sending statistics to third-party applications
This section describes how to get information from Administration Server by using Simple Network Management Protocol (SNMP) in Windows. Kaspersky Security Center contains SNMP agent, which transfers statistics of Administration Server performance to side applications using OIDs.
This section also contains information on resolving problems that you might encounter while using SNMP for Kaspersky Security Center.
SNMP agent and object identifiers
For Kaspersky Security Center, SNMP agent is implemented as a dynamic library klsnmpag.dll, which is registered by the installer during Administration Server installation. SNMP agent works inside the snmp.exe process (that is a Windows service). Third-party applications use SNMP to receive statistics, which comes in the form of counters, on Administration Server performance.
Each counter has a unique object identifier (also referred to as OID). An object identifier is a sequence of numbers divided by dots. The object identifiers of Administration Server start with the 1.3.6.1.4.1.23668.1093 prefix. The OID of the counter is a concatenation of that prefix with a suffix describing the counter. For example, the counter with the OID value of 1.3.6.1.4.1.23668.1093.1.1.4 has the suffix with value of 1.1.4.
You can use an SNMP client (such as Zabbix) to monitor the state of your system. In order to get the information, you can search for a value of OID that corresponds to the information and enter that value into your SNMP client. Then your SNMP client will return you another value that characterizes the status of your system.
The list of counters and counter types is in the adminkit.mib file on the Administration Server. MIB stands for Management Information Base. You can import and parse .mib files via the MIB Viewer application that is designed for requesting and displaying the counter values.
Getting a string counter name from an object identifier
In order to use an object identifier (OID) for transferring information to third-party applications, you may need to get a string counter name from that OID.
To get a string counter name from an OID:
- Open the
adminkit.mibfile, that is located on the Administration Server, in a text editor. - Locate the namespace describing the first value (from left to right).
For example, for 1.1.4 OID suffix would be
"counters" (::= { kladminkit 1 }). - Locate the namespace describing the second value.
For example, for 1.1.4 OID suffix would be
counters 1, which stands fordeployment. - Locate the namespace describing the third value.
For example, for 1.1.4 OID suffix would be
deployment 4, which stands forhostsWithAntivirus.
The string counter name is the concatenation of these values, for example, <MIB base namespace>.counters.deployment.hostsWithAntivirus, and it corresponds to the OID with the value of 1.3.6.1.4.1.23668.1093.1.1.4.
Values of object identifiers for SNMP
The table below shows the values and descriptions of the objects identifiers (also referred to as OIDs), that are used for transferring information on Administration Server performance to third-party applications.
Values and descriptions of object identifiers for SNMP
Value of object identifier |
Numeric data type |
OID |
Description |
|---|---|---|---|
|
|
.1.3.6.1.4.1.23668.1093.1.1.1 |
Deployment status. The status can be one of the following:
|
|
|
.1.3.6.1.4.1.23668.1093.1.1.2.1 |
The reason Value equals 1 in case a few devices were found without managed applications, and 0 otherwise. |
|
|
.1.3.6.1.4.1.23668.1093.1.1.2.2 |
The reason |
|
|
.1.3.6.1.4.1.23668.1093.1.1.2.3 |
The reason |
|
|
.1.3.6.1.4.1.23668.1093.1.1.2.4 |
The reason |
|
|
.1.3.6.1.4.1.23668.1093.1.1.3 |
Number of devices in Administration Server groups. |
|
|
.1.3.6.1.4.1.23668.1093.1.1.4 |
Number of devices in Administration Server groups with managed applications installed. |
|
|
.1.3.6.1.4.1.23668.1093.1.1.5 |
Number of devices on which the task of the remote installation failed. |
|
|
.1.3.6.1.4.1.23668.1093.1.1.6 |
ID of a license key that expires soon (in less than 7 days). |
|
|
.1.3.6.1.4.1.23668.1093.1.1.7 |
ID of the expired license key. |
|
|
.1.3.6.1.4.1.23668.1093.1.1.8 |
Number of days before a license expires. |
|
|
.1.3.6.1.4.1.23668.1093.1.1.9 |
Number of devices with a license that expires soon (in less than 7 days). |
|
|
.1.3.6.1.4.1.23668.1093.1.1.10 |
Number of devices with an expired license. |
|
|
.1.3.6.1.4.1.23668.1093.1.2.1 |
Current status of Anti-virus bases. The status can be one of the following:
|
|
|
.1.3.6.1.4.1.23668.1093.1.2.2.1 |
This reason shows that Administration Server was not updated for a log time. The amount of time considered long is specified in |
|
|
.1.3.6.1.4.1.23668.1093.1.2.2.2 |
This reason shows that some devices were not updated for a long time (7 days or more for Critical and 3 days for Warning). You can obtain the number of those devices via |
|
|
.1.3.6.1.4.1.23668.1093.1.2.3 |
Last time when Anti-virus bases were updated on Administration Server. |
|
|
.1.3.6.1.4.1.23668.1093.1.2.4 |
Number of devices containing Anti-virus bases that are not updated. |
|
|
.1.3.6.1.4.1.23668.1093.1.3.1 |
Status of real-time protection. One of the following:
|
|
|
.1.3.6.1.4.1.23668.1093.1.3.2.1 |
This reason shows that a security application is not running on some devices. You can obtain the number of those devices via |
|
|
.1.3.6.1.4.1.23668.1093.1.3.2.2 |
This reason shows that real-time protection is not running on some devices. You can obtain the number of those devices via |
|
|
.1.3.6.1.4.1.23668.1093.1.3.2.4 |
This reason shows that there are devices containing non-disinfected objects. You can obtain the number of those devices via |
|
|
.1.3.6.1.4.1.23668.1093.1.3.2.5 |
This reason shows that there are threats found on some devices. You can obtain the number of those devices via |
|
|
.1.3.6.1.4.1.23668.1093.1.3.2.6 |
This reason shows the virus outbreak status of the system. Value equals 1 if a certain amount of viruses were found during a certain amount of time, and 0 otherwise. Amount of viruses and amount of time are specified on Administration Server, by using the |
|
|
.1.3.6.1.4.1.23668.1093.1.3.3 |
Number of devices with security applications not running. |
|
|
.1.3.6.1.4.1.23668.1093.1.3.4 |
Number of devices with real-time protection not running. |
|
|
.1.3.6.1.4.1.23668.1093.1.3.5 |
Number of devices with real-time protection level not acceptable. |
|
|
.1.3.6.1.4.1.23668.1093.1.3.6 |
Number of devices containing non-disinfected objects. |
|
|
.1.3.6.1.4.1.23668.1093.1.3.7 |
Number of devices containing threats. |
|
|
.1.3.6.1.4.1.23668.1093.1.4.1 |
Status of Anti-virus full scan. One of the following:
|
|
|
.1.3.6.1.4.1.23668.1093.1.4.2.1 |
This reason shows that some devices have not been scanned for a certain amount of time. You can obtain the number of those devices via |
|
|
.1.3.6.1.4.1.23668.1093.1.4.3 |
Number of devices that have not been scanned for a certain amount of time. The amount of time is specified in |
|
|
.1.3.6.1.4.1.23668.1093.1.5.1 |
Status of the logical network of Administration Server. One of the following:
|
|
|
.1.3.6.1.4.1.23668.1093.1.5.2.1 |
This reason shows that some devices have not been connected to Administration Server for a long time (7 days or more for a device of Warning status and 4 days for a device of Critical status). You can obtain the number of those devices via |
|
|
.1.3.6.1.4.1.23668.1093.1.5.2.2 |
This reason shows that there are devices whose control has been lost by Administration Server. You can obtain the number of those devices via |
|
|
.1.3.6.1.4.1.23668.1093.1.5.3 |
Number of devices found by Administration Server that do not belong to any Administration Server groups. |
|
|
.1.3.6.1.4.1.23668.1093.1.5.4 |
Number of groups at Administration Server. |
|
|
.1.3.6.1.4.1.23668.1093.1.5.5 |
Number of devices that have not been connected to Administration Server for a long time. The amount of time considered long is specified in |
|
|
.1.3.6.1.4.1.23668.1093.1.5.6 |
Number of devices that are not controlled by Administration Server. |
|
|
.1.3.6.1.4.1.23668.1093.1.6.1 |
Status of events subsystem. One of the following:
|
|
|
.1.3.6.1.4.1.23668.1093.1.6.2.1 |
The reason Value equals 1 if there is at least one critical event on any device, and 0 otherwise. |
|
|
.1.3.6.1.4.1.23668.1093.1.6.3 |
Number of critical events on Administration Server. |
Troubleshooting
This section lists solutions for a few typical issues that you might encounter while using the SNMP service.
Third-party application can not connect to the SNMP service
Make sure that SNMP support is installed in Windows. SNMP support is disabled by default.
To allow SNMP support in Windows 10:
- Navigate to Control Panel.
- Open the Add or Remove Programs menu.
- Click Turn Windows features on or off.
- In the Windows features list, navigate to the SNMP feature, and then click OK.
- Navigate to Control Panel → Administrative Tools → Services.
- Choose the SNMP service and run it.
- Check if listening works by testing it with
netstat, for a standard UPD-port.
SNMP support is allowed in Windows 10.
SNMP service is working, yet the third-party application cannot get any values
Allow SNMP agent tracing and make sure that a non-empty file is created. This means that the SNMP agent is properly registered and functioning. After this, allow connections from the SNMP service in the side service settings. If a side service operates on the same host as the SNMP agent, the list of IP addresses should contain either the IP address of that host or loopback 127.0.0.1.
An SNMP service that communicates with agents should be running in Windows. You can specify the paths to SNMP agents in the Windows Registry via regedit.
- For Windows 10:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SNMP\Parameters\ExtensionAgents
- For Windows Vista and Windows Server 2008:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SNMP\Parameters\ExtensionAgents
You can allow SNMP agent tracing via regedit as well.
- For 32-bit systems:
HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\Components\34\1093\1.0.0.0\SNMP\Debug
- For 64-bit systems:
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\KasperskyLab\Components\34\1093\1.0.0.0\SNMP\Debug
"TraceLevel"=dword:00000004
"TraceDir"="C:\\"
Values do not match the statuses of Administration Console
In order to reduce the load at Administration Server, the caching of values is implemented for the SNMP agent. The latency between the cache being actualized and the values being changed on the Administration Server may cause mismatches between the values returned by the SNMP agent and the actual ones. When working with third-party applications, you should consider that possible latency.