I am running the SNMP Modular Input add-on. It works fine when installed on an indexer, but I can not get it up & running on a universal forwarder (Windows). I am only interested in SNMP traps and I did the configuration accordingly.
What I did is:
- Install the universal forwarder and added the forward-server. The defined indexer receives information from the forwarder in the internal index.
- Downloaded the snmpta and copied it to
~\SplunkUniversalForwarder\etc\apps (on the indexer I installed it via die "appstore").
- Created inputs.conf at
~\SplunkUniversalForwarder\etc\apps\local\ and added the and added the proper inputs config - I defined 2222 as snmp port.
- Restart splunk service.
- Send snmp traps to
Splunk is 6.1.2 - I am used to 6.2.4 and really missing the forwarder inputs configuration in the web ui 🙂
Can anybody tell me what I did wrong ??
Thx a lot !
Edit: Forgot to mention - I don't even see port 2222 (the port snmp traps should be received) in netstat -an (on the universal forwarder machine).
Error log messages ? Search via : index=_internal ExecProcessor error snmp.py
Python 2.7 runtime installed on the Forwarder OS ?
Actually no error messages, port is in use now. But nothing is forwarded to the indexer.
Do I have to do a different config in the outputs.conf than created by ./splunk add foward-server ????
Shouldn't have to change outputs.conf.
What does your inputs.conf look like ?
Ok works on a Linux machine.
I had the following issues:
- On the Linux forwarder I had no pySNMP installed.
- I had to modify the scripts a little bit.
- Had to use a port > 1024 on linux (don't want to provide the necessary privileges to run on a well known port).
A good description can be found here - basically thats what I did to get it up&running:
My config loogs like this - as you can see, I am just interested in traps.
[snmp://SNMP_TestInput] communitystring = public do_bulk_get = 0 do_get_subtree = 0 index = test ipv6 = 0 snmp_mode = traps snmp_version = 2C sourcetype = snmpTrap split_bulk_output = 0 trap_host = <YOUR-IP> trap_port = <YOUR-PORT> trap_rdns = 0 v3_authProtocol = usmHMACMD5AuthProtocol v3_privProtocol = usmDESPrivProtocol
Greets and Thank you all
edit: Working on Windows as well (at least the Traps) - i just had to adapt the snmp.py file and change the hardcoded path elements to
egg_dir = SPLUNK_HOME + "\\etc\\apps\\snmp_ta\\bin\\" mib_egg_dir = SPLUNK_HOME + "\\etc\\apps\\snmp_ta\\bin\\mibs" sys.path.append(mib_egg_dir + "\\"+filename)
Don't forget to define SPLUNK_HOME as environment variable!