Defining authentication credentials

Last updated on 24 September, 2024

Using properties to set credentials

LogicMonitor may require credentials (for example, JDBC passwords, SNMP community strings, SSH username, and so on) in order to collect data from your devices. You can use properties to set this information at the global, group, or device level.

The level where you choose to set properties for your device may depend on how many devices that property applies to. For example, if you use the same SNMP community string for all Linux devices, you may want to set this property at the group level instead of at the device level for each individual Linux device in your account. For strategies and instructions on where and how to set properties, see Resource and Instance Properties.

Common credentials

There are multiple predefined properties that store credentials and authentication details of various common protocols and systems. LogicMonitor system obfuscates the value of some properties throughout the LogicMonitor portal to ensure the security of sensitive data. The following table provides a list of credentials and details about them:

Property NameDescription
(any character)credentialProperty name with any character or characters before the credential is considered sensitive and the value of this property is masked.
Example – abc.credential, a12.credential, a@1. credential, .foo-credential
(any character)passwordProperty name with any character or characters before the password is considered sensitive and the value of this property is masked.
Example – abc.password, a12password, [email protected]
(non whitespace character).passProperty name with non whitespace character or characters before .pass is considered sensitive and the value of this property is masked.
Example – [email protected]
(non whitespace character).authProperty name with non whitespace character or characters before .auth is considered sensitive and the value of this property is masked.
Example – [email protected]
(non whitespace character).keyProperty name with non whitespace character or characters before .key is considered sensitive and the value of this property is masked.
Example – [email protected]
(digits).snmptrap.communityProperty name with any digit or digits before .snmptrap.community is considered sensitive and the value of this property is masked.
Example – 123.snmptrap.community
(digits).snmptrap.privtokenProperty name with any digit or digits before .snmptrap.privtoken is considered sensitive and the value of this property is masked.
Example – 123.snmptrap.privtoken
(digits).snmptrap.authtokenProperty name with any digit or digits before .snmptrap.authtoken is considered sensitive and the value of this property is masked.
Example – 123.snmptrap.authtoken

The value of the following field is masked.

Field NameDescription
snmpCommunityThis field is used only for external alerting and the value of this field is masked.

The value of the following properties is masked.

  • snmp.community
  • snmp.privtoken
  • snmp.authtoken
  • aws.accesskey
  • azure.secretkey
  • saas.privatekey
  • saas.secretkey
  • gcp.serviceaccountkey
  • collector.sqs.awsaccesskey
  • collector.sqs.awssecretkey
  • gcccli.accesskey
  • paas.privatekey
  • saas.slack.refreshtoken
  • saas.slack.accesstoken

System credentials

In this section we have listed all the system credentials and their values. You may refer the notes for additional information about the property.

Citrix Xen*

Property NameValueNotes
xen.user
xen.pass
xen.url
The username, password, and url used to access your XenServer.For more information about configuring your Citrix XenServer, see Citrix XenServer.
xen.poolUsed to enable or disable discovery of the entire resource pool’s VMs rather than just the hypervisor’s current VMs.
xen.pool.concurrencyManages the maximum number of connections to the Xen pool master. This property defaults to 10.
xenapp.user
xenapp.pass
The username and password to access XenApp/XenDesktop.For more information on configuring Citrix XenApp/XenDesktop for monitoring, see Citrix XenApp/XenDesktop Monitoring.

Dell EMC

Property NameValueNotes
cim.user
cim.pass
cim.port
cim.ssl
The username, password, port, and SSL enablement status for EMC devices.

ESX Server

Property NameValueNotes
esx.user
esx.pass
esx.url
Username, password, and URL, if necessary, for accessing your ESX server.For more information on configuring your ESX server, see ESXi Servers and vCenter/vSphere Monitoring.

Mongo DB

Property NameValueNotes
mongodb.user
mongodb.pass
The username and password used to access for MongoDB database access.For more information about configuring your MongoDB, see MongoDB.

Navisphere

Property NameValueNotes
naviseccli.user
naviseccli.pass
The username and password used to access your Navisphere server.

NetApp

Property NameValueNotes
netapp.user
netapp.pass
The username & password used for accessing NetApp filers via the API.For more information on declaring netapp.api.port, netapp.ssl, and netapp.api.sslport, see NetApp FAS Monitoring.

Redis

Property NameValueNotes
redis.ports
redis.pass
The alternative ports and password for your Redis data store.For more information about configuring Redis, see Redis.

Protocol credentials

In this section we have listed all the protocol credentials and their values. You may refer the notes for additional information about the property.

HTTP

Property NameValueNotes
http.user
http.pass
http.port
The username, password, and port, if necessary, for the web page collection method.

IPMI

Property NameValueNotes
ipmi.user
ipmi.pass
The username and password used to access IPMI sensors and event logs.For more information about configuring IPMI, see IPMI Support.

JDBC

Property NameValueNotes
jdbc.mysql.user
jdbc.mysql.pass
dbname
The username, password, & database name to access MySQL.For more information about MySQL credentials, see MySQL Monitoring and Microsoft SQL Server Monitoring.
jdbc.oracle.user
jdbc.oracle.pass
The username & password to access Oracle.For more information on configuring access to Oracle, see Oracle Monitoring.
jdbc.mssql.user
jdbc.mssql.pass
dbname
The username, password & database name used for SQL server accessBy default, the SQLServerConnection- datasource uses integrated security, so it is not necessary to set these if the user the collector runs as has rights to query the database.
jdbc.db2.user
jdbc.db2.pass
dbname
The username, password & database name used for DB2 access

JMX

Property NameValueNotes
tomcat.jmxports
jmx.user
jmx.pass
The Tomcat JMX ports (comma separated), username and password for JMX access to your Tomcat server.For more information about configuring your Tomcat server, see Tomcat.
jmx.port
jmx.ports
jmx.user
jmx.pass
A singular port to monitor a JMX object, a list of ports (comma separated) to monitor multiple JMX objects, and the JMX username and password that should be used for authentication.

PDH

Property NameValueNotes
pdh.user
pdh.pass
The Windows username & password for remote perfmon access.Usually, these properties do not need to be defined because the wmi.user/wmi.pass properties will be used to access perfmon data. However, these may be needed if the WMI credentials include a domain\user, but the remote computer is in a different domain, and the user is local.

SNMP

Property NameValueNotes
snmp.communityThe SNMP community string for SNMP versions 1 and 2c (the default is public)See the Defining SNMP Credentials and Properties section of this support article.
snmp.securityThe username for SNMP version 3
snmp.auth
snmp.authToken
The authentication algorithm (default=”SHA”) and the secret token for authentication (similar to password) for SNMP v3 (SNMPv3). “MD5” is also supported for the snmp.auth property and, if you are running Collector version 28.606 or a higher numbered version, “SHA224”, “SHA256”, “SHA384”, and “SHA512” are additionally supported.
snmp.priv
snmp.privToken
The privacy algorithm and the secret token for privacy (similar to password) for SNMPv3.
  • Both AES and DES are supported. AES is the default privacy algorithm.
  • AES and AES128 are same protocols and can be used interchangeably because they use the same encryption method – AES128.
  • AES192-3DES, AES1923DES, and AES192C are same protocols and can be used interchangeably because they use the same encryption method.
  • AES256-3DES, AES2563DES and AES256C are same protocols and can be used interchangeably because they use the same encryption method.
  • AES128 and AES256 are supported out-of-the-box.
  • DES, 3DES, AES192, and AES256 are also supported.
  • AES2563DES and AES1923DES are supported (usually for Cisco devices) starting with EA Collector 28.607 and later.
snmp.portThe UDP port for SNMP (defaults UDP 161).
snmp.contextName
snmp.contextEngineID
These properties identify the SNMP context (a collection of management information) associated with the SNMP device.

SSH

Property NameValueNotes
ssh.userSSH username. This property must be set on the Linux resource in LogicMonitor.For more information on configuring Linux-based system monitoring via SSH, see Linux (via SSH) Monitoring.
ssh.passSSH password. Only required if username and password are used to authenticate connection between LogicMonitor and the Linux resource. If a username and SSH private key are being used instead of a password, set the ssh.cert property instead. This property must be set on the Linux resource in LogicMonitor.
ssh.certPath to the SSH private key located on the Collector host (stored in a .pem or .pub file). Defaults to ~/.ssh/id_rsa if not set. LogicMonitor will attempt to use key-based authentication if configured, otherwise username and password will be used for authentication. This property must be set on the Linux resource in LogicMonitor.
ssh.portPort used for SSH connections. Defaults to port 22 if not set.
remotesession.ssh.portPopulate to override default SSH port value.For more information on using SSH to remotely access and operate on devices from within your LogicMonitor portal, see Remote Session.

Telnet

Property NameValueNotes
config.user
config.pass
The username and password to access Telnet.These properties are needed to monitor ConfigSources with telnet. 

Some ConfigSources such as Cisco_IOS and Fortigate_FortiOS require an additional property config.type.telnet = true on their respective devices to use the Telnet protocol.

WMI

Property NameValueNotes
wmi.user
wmi.pass
The Windows username & password for remote WMI and PerfMon access.If the collector is running as a domain account with the least privilege permissions on the host to be monitored, this is unnecessary. To specify a local user when running in a domain, use ##HOSTNAME##\administrator. For more information on configuring remote Windows host access, see Credentials for Accessing Remote Windows Computers.
wmi.authTypeThe NTLM protocol version used to authenticate to a remote WMI hostIf this property is not set, it defaults to a value of “NTLMv1”. Specify “NTLMv2” for authentication via NTLM version 2. A value of “Kerberos” is also supported; if “Kerberos” is assigned, you should use the ServerName or FQDN to add a device and start your Collector services using AD account credentials instead of Local System. For more information on configuring remote WMI host access, see Credentials for Accessing Remote Windows Computers.

Defining SNMP credentials and properties

LogicMonitor can use SNMP versions 1, 2c or 3. If your device supports 2c, it supports 64-bit counters and is preferable over version 1. SNMPv3 adds authentication and encryption, making it more secure, but also more complicated to set up and troubleshoot.

Note:

  • On an individual device, snmp.version is automatically set by LogicMonitor to the version of SNMP which responds. LogicMonitor attempts SNMP communication initially with version 3, then 2c, and finally version 1. The highest responding version is set for this value, and any attempts to edit it will automatically revert.
  • If you attempt to change the SNMP version after initial device addition (by entering new credentials), you must ensure it and the pertinent credentials function. If LogicMonitor is not able to communicate using the new version specified, it will automatically revert to the original version as a result of the failure.
  • If you want to override the default UDP 161 port, set snmp.port (defined in the table above) to reflect your SNMP port.

SNMP Versions 1 and 2c

For SNMP versions 1 and 2c, you need to set the snmp.community property (defined in the table above).

SNMP Version 3

For SNMPv3, to communicate with authentication and privacy (referred to as authPriv security level), you need to set the snmp.security, snmp.auth, snmp.authToken, snmp.priv, and snmp.privToken properties (all defined in the table above).

If communicating with authentication only (no privacy), referred to as authNoPriv, include the snmp.priv and snmp.privToken properties, but leave them blank.

SNMPv3 also introduces support for snmp.contextName and snmp.contextEngineID. The snmp.contextEngineID value is a string used to identify the device on which the management information is hosted. The snmp.contextName identifies the individual SNMP context.

Defining Community Strings and SNMP Credentials for Ingesting SNMP Traps as LM Logs

To authenticate SNMP traps, the collector which is receiving the traps must be aware of the community strings and the SNMP trap credentials of the devices that are forwarding the traps.

  • For the devices that are monitored by a collector, the credentials and community strings must be configured on the device properties.
  • For the devices that are not monitored by the collector which is receiving the traps or the devices which are not monitored by LogicMonitor, the credentials and community strings should be added as device properties on the self monitoring collector device or device group of the collectors which receives the SNMP traps from such devices. In this case, the device properties must be prefixed with a number 1, 2, 3, and so on.

SNMP Traps Community String Configuration for Devices Not Monitored by Collector

For SNMP v1/v2c traps, the community strings should be configured as collector device properties as follows:

1.snmptrap.community
2.snmptrap.community
3.snmptrap.community

SNMP Traps Credential Configuration for Devices Not Monitored by Collector

For SNMP v3 traps, the SNMP credentials should be configured as collector device properties as follows:

1.snmptrap.security
1.snmptrap.auth
1.snmptrap.authToken
1.snmptrap.priv
1.snmptrap.privToken

2.snmptrap.security
2.snmptrap.auth
2.snmptrap.authToken
2.snmptrap.priv
2.snmptrap.privToken

Note:

  • The prefixed numbers are mutually exclusive for the community strings and SNMP credentials.
  • The prefixed number must start with 1 and must be sequentially incremented for the remaining devices.
  • You can add maximum 15 community strings with prefixed numbers as device properties to a collector device.
  • You can add maximum 15 SNMP credentials with prefixed numbers as device properties to a collector device.
  • The prefixed snmptrap.security properties cannot have the same value on a collector device.
  • Starting with EA Collector 36.100 and later versions, the SNMP credentials and community strings specified on the collector device can also be used for monitored devices.

Scenarios

Scenario 1

Assumption: There are 3 devices which forward only SNMP v1/v2c traps to a collector.

Device #SNMP v1/v2c TrapsSNMP v3 TrapsProperties Added to Collector Device
1YesNo1.snmptrap.community
2YesNo2.snmptrap.community
3YesNo3.snmptrap.community

Interpretation: All the devices forward SNMP traps of v1/v2c to the collector. Therefore, for each device, the community strings are prefixed with 1, 2, and 3 and then added to the collector device.

Scenario 2

Assumption: There are 3 devices which forward only SNMP traps of v3 to a collector.

Device #SNMP v1/v2c TrapsSNMP v3 TrapsProperties Added to Collector Device
1NoYes1.snmptrap.security
1.snmptrap.auth
1.snmptrap.authToken
1.snmptrap.priv
1.snmptrap.privToken
2NoYes2.snmptrap.security
2.snmptrap.auth
2.snmptrap.authToken
2.snmptrap.priv
2.snmptrap.privToken
3NoYes3.snmptrap.security
3.snmptrap.auth
3.snmptrap.authToken
3.snmptrap.priv
3.snmptrap.privToken

Interpretation: All the devices forward SNMP traps of v3 to the collector. Therefore, for each device, the credentials are prefixed with 1, 2, and 3 and then added to the collector device. 

Scenario 3

Assumption: There are 3 devices which forward SNMP traps of different versions to a collector.

Device #SNMP v1/v2c TrapsSNMP v3 TrapsProperties Added to Collector Device
1YesYes1.snmptrap.community1.snmptrap.security
1.snmptrap.auth
1.snmptrap.authToken
1.snmptrap.priv
1.snmptrap.privToken
2NoYes2.snmptrap.security
2.snmptrap.auth
2.snmptrap.authToken
2.snmptrap.priv
2.snmptrap.privToken
3YesNo2.snmptrap.community

Interpretation:

  • The device #1 forwards both SNMP v1/v2c and v3 traps to the collector, hence 1 is prefixed to the community string and SNMP credentials and then added to the collector device. For example, 1.snmptrap.community.
  • The device #2 forwards only SNMP v3 traps to the collector. Here, 2 is prefixed to the SNMP Trap credentials and then added to the collector device, because for the device #1, a set of SNMP Trap credentials is already added to the collector device with prefix 1.
  • The device #3 forwards only SNMP v2 traps to the collector. Here, 2 is prefixed to the SNMP Trap community string and then added to the collector device, because for the device #1, a SNMP Trap community string is already added to the collector device with prefix 1.
In This Article