Forum Discussion

pgordon's avatar
pgordon
Icon for Advisor rankAdvisor
3 months ago

Excessive snmp requests with a community string I am not using

I have some switches that are getting hammered by a few of my collectors and I can't figure out why.
The logs on them are full of this message:


snmp: ST1-CMDR: Security access violation from <Collector IP> for the community name or user name : public (813 times in 60 seconds)

I don't have "public" set for this set of switches anywhere and it is coming from my collectors. I don't have any netscans for the subnet they are on. In my portal everything looks normal for these switches. I'm not sure what else to be looking at to figure this out, anyone have any thoughts?

Thank you!

  • Okay I figured this out and it was a housekeeping thing on my part - I was able to find that I had these switches in my portal a second time using a different IP. They weren't in my hierarchy and had no community string set, I deleted them and now the messages are gone.
    Thanks everyon!

  • Check if you have the snmp.community property set anywhere including at the root group level. Properties get inherited so it can be easy for some properties (especially when using the Wizard) to get set at a higher level and flow down. It's also possible that ProperySources might do a snmp check but it wouldn't be nearly that frequently.

    Also if you were doing v3 previously, verify that is still working. If v3 stops working LM might attempt to downgrade to v2 and perhaps use a "public" default value.

    • pgordon's avatar
      pgordon
      Icon for Advisor rankAdvisor

      They are all using SNMP v2
      I do have snmp.community set and I have it set at the group these switches are in with the correct community string. They wouldn't be getting all the data they're getting if the string were wrong, everything in the portal looks normal to me.

  • You may have to troubleshoot which DataSource may be causing it by trial and error. Like disabling snmp checks on a device until it goes away. You can also try doing packet traces on the collector (if not too loaded down) to look for "public" attempts since snmpv2 is not encrypted.

  • Prepare for disappointment. LM defaults to "public" if no community is configured and it's not trivial to disable SNMP polling (e.g. there isn't a NoSNMP like there is a NoPING).


    https://community.logicmonitor.com/discussions/lm-exchange/custom-property---disable-snmp-polling-/13178


     

    • pgordon's avatar
      pgordon
      Icon for Advisor rankAdvisor

      I do have a group I set up already for disabling all datasources but ping, thanks for reminding me.

      • befuddled's avatar
        befuddled
        Icon for Neophyte rankNeophyte

        Sorry, I misread your original request, so what I said might not have been helpful.