topic Re: How to capture snmp traps in splunk ? in Getting Data In

How to capture snmp traps in splunk ?

Hemnaath — Fri, 08 Dec 2017 15:38:38 GMT

Hi All, I have told to configure one of the Heavy forwarder instance to receive and index the CISCO prime traps. i had gone through the links https://docs.splunk.com/Documentation/Splunk/6.5.0/Data/SendSNMPeventstoSplunk provide in the splunk documentation.
but I am not sure how to install / configure the snmptrapd to capture the remote data.

Question:

1) From where I need to download the snmptrapd ? Please provide me the link.
2) My Heavy forwarder running on top of Linux version "Red Hat Enterprise Linux Server release 7.3 (Maipo)" 64 bit OS, so what version of snmptrapd will be compatible ?
3) How to configure the snmptrapd to capture from cisco prime traps? where to configure this two stanza in snamptrapd.

snmptrapd -Lf /var/log/snmp-traps
snmptrapd -Lf /var/log/snmp-traps --disableAuthorization=yes

4) Once snaptrapd is configured, I will be configuring the below inputs.conf stanza, so that splunk can read the trap from this location in heavyforwarder.

inputs.conf
[monitor:///var/log/snmp-traps*]
index=network
sourcetype=network:cisco:primesnmp

Kindly guide me on the above questions.

Re: How to capture snmp traps in splunk ?

Hemnaath — Fri, 08 Dec 2017 17:27:22 GMT

Hi All, Can any one guide me on this ?????

Re: How to capture snmp traps in splunk ?

woodcock — Sat, 09 Dec 2017 04:36:08 GMT

You need the SNMP Modular Input app by @damiendallimore:
https://splunkbase.splunk.com/app/1537/

Re: How to capture snmp traps in splunk ?

Hemnaath — Sat, 09 Dec 2017 05:30:41 GMT

Hi Woodcock, thanks for your support on this, yes i have gone through the link but my requirement is to configure one of the splunk Heavy forwarder instances to receive and index the CISCO prime traps and at the same time I need to have this index=network and sourcetype=network:cisco:primesnmp details configured in inputs.conf stanza.

Kindly guide me whether we can do this via SNMP Modular Input app.

Re: How to capture snmp traps in splunk ?

Hemnaath — Sat, 09 Dec 2017 17:21:10 GMT

Hi Woodcock, I tried to install the app from splunk base on my test machine, after installing the app, I had followed the below steps to capture the CISCO PRIME SNMP traps.

Steps:
1) Manager-->settings-->datainputs--snmp--new

2) SNMP Mode was set as "Listen for traps"

3) SNMP Version kept as "2c"

4) Community String as "Public"

5) Custom MIBs - "Left Blank"

6) Custom Response Handling
Response Handler --> Left Blank
Response Handler Arguments --> Left Blank

7) SNMP Trap listener settings
TRAP listener host " 10.X.X.X" --> Heavy Forwarder IP Address
TRAP listener port "162"

😎 Reverse DNS lookup of trap sources. --> Left this option "unchecked"

9) Source type set to Manual

10) sourcetype : network:cisco:primesnmp

11) More settings -- > In this setting, I would like to set the index name as network.

Question :

1)How to set the index=network in the more settings ?
2) After saving the settings where I can see the inputs.conf stanza in this app. I mean from /opt/splunk/etc/apps/snmp_ta
3) Which option is better to capture the snmp traps, whether by using the snmptrapd or by using this app.

Kindly guide me on this.
thanks in advance.

Re: How to capture snmp traps in splunk ?

Hemnaath — Sat, 09 Dec 2017 18:46:56 GMT

Hi Woodcock, hey I had downloaded the snmptrapd from this link https://sourceforge.net/projects/net-snmp/files/net-snmp/5.7.3/ but I am not sure how to install this package in linux os .

"Download net-snmp-5.6.1.1-1.x86.exe (4.2 MB)"

Kindly let me know how to install this in linux

Re: How to capture snmp traps in splunk ?

saurabh_tek11 — Sun, 10 Dec 2017 11:37:13 GMT

@Hemnaath Custom MIBs - you may get from source Cisco device's management portal - download them and place them to your splunk instance machine (HF) at snmp_ta/bin/mibs location

1)How to set the index=network in the more settings ?

Under more settings - to highlight 'network' as index name - you first have to create this 'network' index on splunk. indexer.
Go to indexer machine Settings > indexes > create new index > name and give location of hot/warm/cold buckets.
now come to snmp settings page and then you will get "network" as index listed under this.

2) After saving the settings where I can see the inputs.conf stanza in this app. I mean from /opt/splunk/etc/apps/snmp_ta

/opt/splunk/etc/apps/snmp_ta
inside this location, create a new directory named 'local'
create a new file here and name it "inputs.conf" for any data collection

3) Which option is better to capture the snmp traps, whether by using the snmptrapd or by using this app.

Both ways are right - use one which suits your requirements. I would prefer app.

Re: How to capture snmp traps in splunk ?

saurabh_tek11 — Sun, 10 Dec 2017 11:40:28 GMT

@Hemnaath -
you are using Red Hat Enterprise Linux Server release 7.3 (Maipo)" 64 bit OS on HF. then .exe fileformat is not for you.

You may download some .gz file version which you can untar in linux OS
tar xvzf -C

Re: How to capture snmp traps in splunk ?

Hemnaath — Sun, 10 Dec 2017 12:20:34 GMT

Hi saurabh , thanks for your support, can you please provide me the link and exact file to download from the site.

thank in advance

Re: How to capture snmp traps in splunk ?

Hemnaath — Sun, 10 Dec 2017 12:26:31 GMT

hi saurabh, In our production environment we have already indexing other network related device data in to the index=network.

But when I tested in my personal laptop after providing the required details I could see the inputs.conf file being placed under this folder /opt/splunk/etc/apps/launcher/local/inputs.conf. can I copy the same and place it in the /opt/splunk/etc/apps/snmp_ta/local/inputs.conf.

I am not sure about the custom MIB, So can I leave that option blank will there be any impact because of it.

Please guide me whether the above steps are correct to capture the remote CISCO prime snmp into the Heavy forwarder instance using the app.

thanks in advance.

Re: How to capture snmp traps in splunk ?

Hemnaath — Sun, 10 Dec 2017 17:18:01 GMT

Hi All, I have successfully download and installed the snmptrap with the help of linux administrator.

From the below site you can download the snmptrapd.rpm for "Red Hat Enterprise Linux Server release 7.3 (Maipo)" 64 bit OS.

http://rpm.pbone.net/index.php3

Questions :

1) Should I need add any other configuration details in /etc/snmp/snmptrapd.conf

TRAPD BEHAVIOUR

snmpTrapdAddr udp:127.0.0.1:162,udp6:[::1]:162
doNotLogTraps no

ACCESS CONTROL

authCommunity log,execute,net solarwinds
disableAuthorization no

NOTIFICATION PROCESSING

OTHER CONFIGURATION

2) What configuration details should be added under this file /etc/sysconfig/snmptrapd.

snmptrapd command line options

OPTIONS="-Lsd"

Kindly guide me on this.
thanks in advance

Re: How to capture snmp traps in splunk ?

saurabh_tek11 — Sun, 10 Dec 2017 18:59:27 GMT

That input is coming at /opt/splunk/etc/apps/launcher/local/inputs.conf because you made the settings changes in UI Manager-->settings-->datainputs--snmp--new ALthough the movement is not needed as this is your test env. but if you move that wont affect anything except at later point of time if you revisit it under ta_snmp this inputs.conf shall clearly indicate what inputs its used for(as this is under snmp).

MIB is about explanation of some codes.. like http 200 means OK. It adds value for sake of better understanding and clarity. \

steps seems to be correct.