topic Re: How to monitor switch, router... and other Cisco devices using SNMP. in Getting Data In

How to monitor switch, router... and other Cisco devices using SNMP.

ledaipro — Sun, 18 Oct 2015 15:17:22 GMT

Hi.

Using NET-SNMP on Windows to receive and log SNMP traps to a file, and I want Splunk monitor that file. How to do this?
I installed NET-SNMP on Windows
What is next step?

Re: How to monitor switch, router... and other Cisco devices using SNMP.

santiagoaloi — Sun, 18 Oct 2015 17:56:22 GMT

Hey!

This is fairly simple since you will be monitoring just one file containing all your SNMP traps logs.
Assuming your Splunk indexer is located in a dedicated server somewhere else, you will have to install an Universal Forwarder in the Windows instance where the snmp traps log file is located..

Download the Universal Forwarder, install it and as a best practice I would recommend you to create an inputs.conf and outputs.conf file located inside an app, which is basically a directory where you will palce both files for snmp traps, for example:
$SPLUNK_HOME\etc\apps\UF-SNMP_collection. This will be a scalable way of managing all your inputs centrally from a deployment-server.

Universal Forwarder

UF-SNMP_collection > default > inputs.conf

[monitor://C:\folder1\folder2\snmptraps.log]
host          = yourhostname
index         = (defaults to *main*, but creating a test index is a best practice)
sourcetype    = snmptraps could be a good one.

UF-SNMP_collection > default > outputs.conf

[tcpout]
defaultGroup = default-autolb-group

[tcpout:default-autolb-group]
server = yourindexer:9997

Splunk Indexer or Search Head

Define an app name, for example "APP-SNMP" and then create two sub-folders default and metadata.

If your Splunk indexer is located in the same Windows instance as your snmp traps log file, just place the inputs.conf file together with the props.conf file within this app and discard the outputs.conf file step.

APP-SNMP > default >props.conf

These parameters are examples of best practices for line breaking, and search optimization , you will have to tweak them according to your snmp trap logs timestamp format and location within log. Read about this in Splunk Docs, you don't have to do it, but its good to know it 🙂

[snmptraps]

# Accurarte line breaking steps 

TIME_FORMAT              = %b %d %H:%M:%S %Z%z %Y 
TIME_PREFIX              = \w+\s\w+\s\d+\s\d+\s\d+:\d+:\d+
LINE_BREAKER             = ([\n\r])\w+\s\w+\s\d+\s\d+\s\d+:\d+:\d+
MAX_TIMESTAMP_LOOKAHEAD  = 25
TRUNCATE                 = 50000

# field extraction

EXTRACT-field_foo       = some regex
EXTRACT-field_bar        = some regex

APP-SNMP > metadata > default.meta

[]
access = read : [ * ], write : [ admin ]
export = system

All the filed extractions should be placed within this app context so you have a better control of it.

Normally when you do the filed extraction in Splunk GUI, the props.conf will be placed in a local folder of the app context you are standing.

Commonly search or launcher, so check either:

$SPLUNK_HOME\etc\apps\launcher\local\props.conf
$SPLUNK_HOME\etc\apps\search\local\props.conf
$SPLUNK_HOME\etc\user\**youruser**\search\local\props.conf
$SPLUNK_HOME\etc\user\**youruser**\launcher\local\props.conf

Re: How to monitor switch, router... and other Cisco devices using SNMP.

woodcock — Sun, 18 Oct 2015 21:37:48 GMT

This Q&A on SNMP is incredible:

https://answers.splunk.com/answers/229041/how-to-send-snmp-traps-from-my-linux-machine-to-a.html

Re: How to monitor switch, router... and other Cisco devices using SNMP.

friea — Sun, 18 Oct 2015 21:50:10 GMT

Have you taken a look at the Cisco Networks app for Splunk? https://splunkbase.splunk.com/app/1352/

Re: How to monitor switch, router... and other Cisco devices using SNMP.

ledaipro — Mon, 19 Oct 2015 06:07:07 GMT

thank you for this reply. this is very helpful!

Re: How to monitor switch, router... and other Cisco devices using SNMP.

ledaipro — Mon, 19 Oct 2015 06:16:49 GMT

but how to send snmp trap from switch to splunk machine, i have installed net-snmp on splunk machine, and configured snmp on switch 😞

Re: How to monitor switch, router... and other Cisco devices using SNMP.

santiagoaloi — Mon, 19 Oct 2015 13:16:20 GMT

Ok , as I understood you are dumping all the SNMP traps into a log file, right?
You will have to either monitor that log file, assuming you have installed Splunk Enterprise in the same machine where the file is, or use an Universal Forwarder as I described above, to monitor that file and forward it to the indexer.

Re: How to monitor switch, router... and other Cisco devices using SNMP.

ledaipro — Mon, 19 Oct 2015 13:45:28 GMT

I have installed NET-SNMP on splunk machine (winserver 2008 R2).
1. splunk machine
- edit file C:/usr/ etc/snmp/snmptrapd.conf
snmpTrapdAddr 192.168.1.100:162
authCommunity log public
- Add data ->monitor-> UDP port 162
2. Router
I configured
Router(config)# snmp-server community public ro
Router(config)# snmp-server community public rw
Router(config)# snmp-server host 192.168.1.100 version 2 public

But on splunk machine i didn't receive snmp. what did wrong?