All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

SNMP Modular Input - How to enable/configure more than one input?

krusty
Contributor
‎12-05-2017 07:36 AM

Hi there,

I'm using Splunk 7.0.0 with an cluster setup for our indexer and a dedicated syslog server where also snmp traps are collected.
This Server has a universal forwarder installed.
For the first SNMP input configuration it works like a charm but now I try to get another one working but it doesn't work.

The configuration looks like this:

# SNMP Traps from Application1
[snmp://APPLICATION1-TRAP]
communitystring = STRING1
do_bulk_get = 0
do_get_subtree = 0
index = temp
ipv6 = 0
mib_names = APPLICATION1mibFILE
response_handler =
snmp_mode = traps
snmp_version = 2C
sourcetype = SNMP
split_bulk_output = 0
trap_host = 192.168.1.39
trap_port = 8162
trap_rdns = 1
v3_authProtocol = usmHMACMD5AuthProtocol
v3_privProtocol = usmDESPrivProtocol

# SNMP Traps from Application2
[snmp://APPLICATION2-TRAP]
communitystring = STRING2
do_bulk_get = 0
do_get_subtree = 0
index = test
ipv6 = 0
mib_names = APPLICATION2mibFILE
response_handler = ResponseHandlerApp1
snmp_mode = traps
snmp_version = 2C
sourcetype = SNMP
split_bulk_output = 0
trap_host = 192.168.1.39
trap_port = 8162
trap_rdns = 1
v3_authProtocol = usmHMACMD5AuthProtocol
v3_privProtocol = usmDESPrivProtocol
disabled = 0

If I restart the splunk forwarder to activate the configuration changes there are no error messages/warnings regarding the SNMP Module in there. But as soon as the first trap from the second application arrives on the server, it will generate error messages.
It looks like the splunk forwarder can not make a difference between the different community strings. He always tries to use the APPLICATION1. No matter if the string is equal or not with the configuration.

Does someone has implemented more than one SNMP input with the SNMP Modular Input AddOn and differnt community strings and differnt indexes? It should be possible to configure more than one SNMP Input, isn't it?

Many thanks

[edit]
I read the Developer Blog again, and found out that for the Trap listener part, you can only set the listener port and the listener host.
So it Looks like all other stuff in the configuration (inputs.conf) is only for the active polling section.
Then you have to configure everything else with the props.conf and transforms.conf.
But the configuration of the MIB names will be used because it will translate the OID to readable names.

Summary:

  • You have to check if the SNMP Service from your Operating System will accept traps with different community strings.
  • You have to configure all the needed MIB files into the inputs.conf file. Maybe you have to confert special MIB files first into *.py files.
  • You have to setup a propper configuration in your props.conf and transforms.conf files.

If that is done, the SNMP traps of the different sources will be indexed as you want.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Damien_Dallimor
Ultra Champion
‎12-05-2017 11:31 AM

You can't open 2 ports at 8162.
Try 8162 and 8163.

Furthermore , you can simplify that config for better reuse and extensibility : 

[snmp]
 do_bulk_get = 0
 do_get_subtree = 0
 ipv6 = 0
 snmp_mode = traps
 snmp_version = 2C
 sourcetype = SNMP
 split_bulk_output = 0
 trap_host = 192.168.1.39
 trap_rdns = 1
 v3_authProtocol = usmHMACMD5AuthProtocol
 v3_privProtocol = usmDESPrivProtocol

 [snmp://APPLICATION1-TRAP]
 communitystring = STRING1
 index = temp
 mib_names = APPLICATION1mibFILE
 trap_port = 8162
 disabled = 0


 [snmp://APPLICATION2-TRAP]
 communitystring = STRING2
 index = test
 mib_names = APPLICATION2mibFILE
 response_handler = ResponseHandlerApp1
 trap_port = 8163
 disabled = 0

View solution in original post

Reply
Solved! Jump to solution
Solution

Damien_Dallimor
Ultra Champion
‎12-05-2017 11:31 AM

You can't open 2 ports at 8162.
Try 8162 and 8163.

Furthermore , you can simplify that config for better reuse and extensibility : 

[snmp]
 do_bulk_get = 0
 do_get_subtree = 0
 ipv6 = 0
 snmp_mode = traps
 snmp_version = 2C
 sourcetype = SNMP
 split_bulk_output = 0
 trap_host = 192.168.1.39
 trap_rdns = 1
 v3_authProtocol = usmHMACMD5AuthProtocol
 v3_privProtocol = usmDESPrivProtocol

 [snmp://APPLICATION1-TRAP]
 communitystring = STRING1
 index = temp
 mib_names = APPLICATION1mibFILE
 trap_port = 8162
 disabled = 0


 [snmp://APPLICATION2-TRAP]
 communitystring = STRING2
 index = test
 mib_names = APPLICATION2mibFILE
 response_handler = ResponseHandlerApp1
 trap_port = 8163
 disabled = 0
Reply
Solved! Jump to solution

krusty
Contributor
‎12-06-2017 02:57 AM

Hi Damien,

thanks for this example.
I just change my configuration and it works perfect.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Enterprise Security 8.0.2 Availability: On cloud and On-premise!

A few months ago, we released Splunk Enterprise Security 8.0 for our cloud customers. Today, we are excited to ...

Logs to Metrics

Logs and Metrics Logs are generally unstructured text or structured events emitted by applications and written ...

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...