All Apps and Add-ons

How to install the SNMP Modular Input add-on on a Windows universal forwarder?

pinVie
Path Finder

Hi all,

I am running the SNMP Modular Input add-on. It works fine when installed on an indexer, but I can not get it up & running on a universal forwarder (Windows). I am only interested in SNMP traps and I did the configuration accordingly.

What I did is:
- Install the universal forwarder and added the forward-server. The defined indexer receives information from the forwarder in the _internal index.
- Downloaded the snmp_ta and copied it to ~\SplunkUniversalForwarder\etc\apps (on the indexer I installed it via die "appstore").
- Created inputs.conf at ~\SplunkUniversalForwarder\etc\apps\local\ and added the and added the proper inputs config - I defined 2222 as snmp port.
- Restart splunk service.
- Send snmp traps to

Splunk is 6.1.2 - I am used to 6.2.4 and really missing the forwarder inputs configuration in the web ui 🙂

Can anybody tell me what I did wrong ??

Thx a lot !

Edit: Forgot to mention - I don't even see port 2222 (the port snmp traps should be received) in netstat -an (on the universal forwarder machine).

0 Karma
1 Solution

pinVie
Path Finder

Ok works on a Linux machine.
I had the following issues:
- On the Linux forwarder I had no pySNMP installed.
- I had to modify the scripts a little bit.
- Had to use a port > 1024 on linux (don't want to provide the necessary privileges to run on a well known port).

A good description can be found here - basically thats what I did to get it up&running:
http://www.georgestarcher.com/splunk-capturing-smnp-traps-on-a-universal-forwarder/

My config loogs like this - as you can see, I am just interested in traps.

[snmp://SNMP_TestInput]
communitystring = public
do_bulk_get = 0
do_get_subtree = 0
index = test
ipv6 = 0
snmp_mode = traps
snmp_version = 2C
sourcetype = snmpTrap
split_bulk_output = 0
trap_host = <YOUR-IP>
trap_port = <YOUR-PORT>
trap_rdns = 0
v3_authProtocol = usmHMACMD5AuthProtocol
v3_privProtocol = usmDESPrivProtocol

Greets and Thank you all

edit: Working on Windows as well (at least the Traps) - i just had to adapt the snmp.py file and change the hardcoded path elements to

egg_dir = SPLUNK_HOME + "\\etc\\apps\\snmp_ta\\bin\\"
mib_egg_dir = SPLUNK_HOME +  "\\etc\\apps\\snmp_ta\\bin\\mibs"
sys.path.append(mib_egg_dir + "\\"+filename) 

Don't forget to define SPLUNK_HOME as environment variable!

View solution in original post

0 Karma

pinVie
Path Finder

Ok works on a Linux machine.
I had the following issues:
- On the Linux forwarder I had no pySNMP installed.
- I had to modify the scripts a little bit.
- Had to use a port > 1024 on linux (don't want to provide the necessary privileges to run on a well known port).

A good description can be found here - basically thats what I did to get it up&running:
http://www.georgestarcher.com/splunk-capturing-smnp-traps-on-a-universal-forwarder/

My config loogs like this - as you can see, I am just interested in traps.

[snmp://SNMP_TestInput]
communitystring = public
do_bulk_get = 0
do_get_subtree = 0
index = test
ipv6 = 0
snmp_mode = traps
snmp_version = 2C
sourcetype = snmpTrap
split_bulk_output = 0
trap_host = <YOUR-IP>
trap_port = <YOUR-PORT>
trap_rdns = 0
v3_authProtocol = usmHMACMD5AuthProtocol
v3_privProtocol = usmDESPrivProtocol

Greets and Thank you all

edit: Working on Windows as well (at least the Traps) - i just had to adapt the snmp.py file and change the hardcoded path elements to

egg_dir = SPLUNK_HOME + "\\etc\\apps\\snmp_ta\\bin\\"
mib_egg_dir = SPLUNK_HOME +  "\\etc\\apps\\snmp_ta\\bin\\mibs"
sys.path.append(mib_egg_dir + "\\"+filename) 

Don't forget to define SPLUNK_HOME as environment variable!

0 Karma

Damien_Dallimor
Ultra Champion

Error log messages ? Search via : index=_internal ExecProcessor error snmp.py

Python 2.7 runtime installed on the Forwarder OS ?

0 Karma

pinVie
Path Finder

Actually no error messages, port is in use now. But nothing is forwarded to the indexer.
Do I have to do a different config in the outputs.conf than created by ./splunk add foward-server ????

Thx !

0 Karma

Damien_Dallimor
Ultra Champion

Shouldn't have to change outputs.conf.

What does your inputs.conf look like ?

0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...