topic Re: Does Splunk use SNMP on 161? in Getting Data In

Does Splunk use SNMP on 161?

weevil — Thu, 13 Sep 2012 09:53:41 GMT

Hi,

We have a customer who is currently doing some compliance scanning, and have found port 161, SNMP Server, open for various periods throughout the day. Is Splunk guilty of this or does Splunk not use port 161 in this fashion?

Thanks!

Re: Does Splunk use SNMP on 161?

MHibbin — Thu, 13 Sep 2012 10:05:26 GMT

Splunk does not directly use SNMP. It may be an SNMP daemon that is running on the same server, ref the following for the splunk recommended practice http://docs.splunk.com/Documentation/Splunk/latest/Data/SendSNMPeventstoSplunk

Is it a *nix platform? - If so you can use netstat and ps to locate some more information...

netstat -antp | egrep '161|162'

This will show you what processes are using those ports, you can then find the PID in this information and use that in a ps search...

ps -ef | grep <PID>

Re: Does Splunk use SNMP on 161?

Ayn — Thu, 13 Sep 2012 10:06:29 GMT

Splunk does not use port 161.

See this recent answer regarding "Splunk"'s SNMP functionality: http://splunk-base.splunk.com/answers/58537/what-version-of-splunk-can-receive-traps-via-snmpv3

Re: Does Splunk use SNMP on 161?

weevil — Thu, 13 Sep 2012 10:21:11 GMT

I will have a look and see if it is a Daemon or something untoward doing the SNMP. I guess this is why PCI Compliance exists 🙂

Re: Does Splunk use SNMP on 161?

MHibbin — Thu, 13 Sep 2012 10:26:04 GMT

Okay cool!