All Apps and Add-ons
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to install the SNMP Modular Input add-on on a Windows universal forwarder?

pinVie
Path Finder
‎07-16-2015 02:09 AM

Hi all,

I am running the SNMP Modular Input add-on. It works fine when installed on an indexer, but I can not get it up & running on a universal forwarder (Windows). I am only interested in SNMP traps and I did the configuration accordingly.

What I did is:
- Install the universal forwarder and added the forward-server. The defined indexer receives information from the forwarder in the _internal index.
- Downloaded the snmp_ta and copied it to ~\SplunkUniversalForwarder\etc\apps (on the indexer I installed it via die "appstore").
- Created inputs.conf at ~\SplunkUniversalForwarder\etc\apps\local\ and added the and added the proper inputs config - I defined 2222 as snmp port.
- Restart splunk service.
- Send snmp traps to

Splunk is 6.1.2 - I am used to 6.2.4 and really missing the forwarder inputs configuration in the web ui 🙂

Can anybody tell me what I did wrong ??

Thx a lot !

Edit: Forgot to mention - I don't even see port 2222 (the port snmp traps should be received) in netstat -an (on the universal forwarder machine).

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

pinVie
Path Finder
‎07-19-2015 11:16 PM

Ok works on a Linux machine.
I had the following issues:
- On the Linux forwarder I had no pySNMP installed.
- I had to modify the scripts a little bit.
- Had to use a port > 1024 on linux (don't want to provide the necessary privileges to run on a well known port).

A good description can be found here - basically thats what I did to get it up&running:
http://www.georgestarcher.com/splunk-capturing-smnp-traps-on-a-universal-forwarder/

My config loogs like this - as you can see, I am just interested in traps. 

[snmp://SNMP_TestInput]
communitystring = public
do_bulk_get = 0
do_get_subtree = 0
index = test
ipv6 = 0
snmp_mode = traps
snmp_version = 2C
sourcetype = snmpTrap
split_bulk_output = 0
trap_host = <YOUR-IP>
trap_port = <YOUR-PORT>
trap_rdns = 0
v3_authProtocol = usmHMACMD5AuthProtocol
v3_privProtocol = usmDESPrivProtocol

Greets and Thank you all

edit: Working on Windows as well (at least the Traps) - i just had to adapt the snmp.py file and change the hardcoded path elements to

egg_dir = SPLUNK_HOME + "\\etc\\apps\\snmp_ta\\bin\\"
mib_egg_dir = SPLUNK_HOME +  "\\etc\\apps\\snmp_ta\\bin\\mibs"
sys.path.append(mib_egg_dir + "\\"+filename)

Don't forget to define SPLUNK_HOME as environment variable!

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

pinVie
Path Finder
‎07-19-2015 11:16 PM

Ok works on a Linux machine.
I had the following issues:
- On the Linux forwarder I had no pySNMP installed.
- I had to modify the scripts a little bit.
- Had to use a port > 1024 on linux (don't want to provide the necessary privileges to run on a well known port).

A good description can be found here - basically thats what I did to get it up&running:
http://www.georgestarcher.com/splunk-capturing-smnp-traps-on-a-universal-forwarder/

My config loogs like this - as you can see, I am just interested in traps. 

[snmp://SNMP_TestInput]
communitystring = public
do_bulk_get = 0
do_get_subtree = 0
index = test
ipv6 = 0
snmp_mode = traps
snmp_version = 2C
sourcetype = snmpTrap
split_bulk_output = 0
trap_host = <YOUR-IP>
trap_port = <YOUR-PORT>
trap_rdns = 0
v3_authProtocol = usmHMACMD5AuthProtocol
v3_privProtocol = usmDESPrivProtocol

Greets and Thank you all

edit: Working on Windows as well (at least the Traps) - i just had to adapt the snmp.py file and change the hardcoded path elements to

egg_dir = SPLUNK_HOME + "\\etc\\apps\\snmp_ta\\bin\\"
mib_egg_dir = SPLUNK_HOME +  "\\etc\\apps\\snmp_ta\\bin\\mibs"
sys.path.append(mib_egg_dir + "\\"+filename)

Don't forget to define SPLUNK_HOME as environment variable!

0 Karma
Reply
Solved! Jump to solution

Damien_Dallimor
Ultra Champion
‎07-16-2015 02:28 AM

Error log messages ? Search via : index=_internal ExecProcessor error snmp.py

Python 2.7 runtime installed on the Forwarder OS ?

0 Karma
Reply
Solved! Jump to solution

pinVie
Path Finder
‎07-16-2015 06:26 AM

Actually no error messages, port is in use now. But nothing is forwarded to the indexer.
Do I have to do a different config in the outputs.conf than created by ./splunk add foward-server ????

Thx !

0 Karma
Reply
Solved! Jump to solution

Damien_Dallimor
Ultra Champion
‎07-16-2015 06:27 PM

Shouldn't have to change outputs.conf.

What does your inputs.conf look like ?

0 Karma
Reply
Get Updates on the Splunk Community!

Mastering Data Pipelines: Unlocking Value with Splunk

 In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...

The Latest Cisco Integrations With Splunk Platform!

Join us for an exciting tech talk where we’ll explore the latest integrations in Cisco &#43; Splunk! We’ve ...

AI Adoption Hub Launch | Curated Resources to Get Started with AI in Splunk

Hey Splunk Practitioners and AI Enthusiasts! It’s no secret (or surprise) that AI is at the forefront of ...
li.common.scroll-to.top