- Apps and Add-ons
- :
- All Apps and Add-ons
- :
- How to install the SNMP Modular Input add-on on a ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi all,
I am running the SNMP Modular Input add-on. It works fine when installed on an indexer, but I can not get it up & running on a universal forwarder (Windows). I am only interested in SNMP traps and I did the configuration accordingly.
What I did is:
- Install the universal forwarder and added the forward-server. The defined indexer receives information from the forwarder in the _internal index.
- Downloaded the snmp_ta and copied it to ~\SplunkUniversalForwarder\etc\apps (on the indexer I installed it via die "appstore").
- Created inputs.conf at ~\SplunkUniversalForwarder\etc\apps\local\ and added the and added the proper inputs config - I defined 2222 as snmp port.
- Restart splunk service.
- Send snmp traps to
Splunk is 6.1.2 - I am used to 6.2.4 and really missing the forwarder inputs configuration in the web ui 🙂
Can anybody tell me what I did wrong ??
Thx a lot !
Edit: Forgot to mention - I don't even see port 2222 (the port snmp traps should be received) in netstat -an (on the universal forwarder machine).
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ok works on a Linux machine.
I had the following issues:
- On the Linux forwarder I had no pySNMP installed.
- I had to modify the scripts a little bit.
- Had to use a port > 1024 on linux (don't want to provide the necessary privileges to run on a well known port).
A good description can be found here - basically thats what I did to get it up&running:
http://www.georgestarcher.com/splunk-capturing-smnp-traps-on-a-universal-forwarder/
My config loogs like this - as you can see, I am just interested in traps.
[snmp://SNMP_TestInput]
communitystring = public
do_bulk_get = 0
do_get_subtree = 0
index = test
ipv6 = 0
snmp_mode = traps
snmp_version = 2C
sourcetype = snmpTrap
split_bulk_output = 0
trap_host = <YOUR-IP>
trap_port = <YOUR-PORT>
trap_rdns = 0
v3_authProtocol = usmHMACMD5AuthProtocol
v3_privProtocol = usmDESPrivProtocol
Greets and Thank you all
edit: Working on Windows as well (at least the Traps) - i just had to adapt the snmp.py file and change the hardcoded path elements to
egg_dir = SPLUNK_HOME + "\\etc\\apps\\snmp_ta\\bin\\"
mib_egg_dir = SPLUNK_HOME + "\\etc\\apps\\snmp_ta\\bin\\mibs"
sys.path.append(mib_egg_dir + "\\"+filename)
Don't forget to define SPLUNK_HOME as environment variable!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ok works on a Linux machine.
I had the following issues:
- On the Linux forwarder I had no pySNMP installed.
- I had to modify the scripts a little bit.
- Had to use a port > 1024 on linux (don't want to provide the necessary privileges to run on a well known port).
A good description can be found here - basically thats what I did to get it up&running:
http://www.georgestarcher.com/splunk-capturing-smnp-traps-on-a-universal-forwarder/
My config loogs like this - as you can see, I am just interested in traps.
[snmp://SNMP_TestInput]
communitystring = public
do_bulk_get = 0
do_get_subtree = 0
index = test
ipv6 = 0
snmp_mode = traps
snmp_version = 2C
sourcetype = snmpTrap
split_bulk_output = 0
trap_host = <YOUR-IP>
trap_port = <YOUR-PORT>
trap_rdns = 0
v3_authProtocol = usmHMACMD5AuthProtocol
v3_privProtocol = usmDESPrivProtocol
Greets and Thank you all
edit: Working on Windows as well (at least the Traps) - i just had to adapt the snmp.py file and change the hardcoded path elements to
egg_dir = SPLUNK_HOME + "\\etc\\apps\\snmp_ta\\bin\\"
mib_egg_dir = SPLUNK_HOME + "\\etc\\apps\\snmp_ta\\bin\\mibs"
sys.path.append(mib_egg_dir + "\\"+filename)
Don't forget to define SPLUNK_HOME as environment variable!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Error log messages ? Search via : index=_internal ExecProcessor error snmp.py
Python 2.7 runtime installed on the Forwarder OS ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Actually no error messages, port is in use now. But nothing is forwarded to the indexer.
Do I have to do a different config in the outputs.conf than created by ./splunk add foward-server ????
Thx !
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Shouldn't have to change outputs.conf.
What does your inputs.conf look like ?
Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!
They're back! Join the SplunkTrust and MVP at .conf24
Enterprise Security Content Update (ESCU) | New Releases
