All Apps and Add-ons

SNMP Modular Input: Why am I unable to capture any traps from a Cisco device?

npichugin
Path Finder

Hello,

I'm trying to capture traps from a Cisco router with SNMP Modular Input add-on. Here's what I did so far:

  1. Configured Cisco router to send all possible traps to my Splunk host, port 162;
  2. Installed SNMP add-on;
  3. Downloaded CISCO-SMI, CISCO-TC, CISCO-CONFIG-MAN-MIB MIBs from Cisco website and converted them to Python modules as described in SNMP add-on documentation;
  4. Moved them to the $SPLUNK_ROOT/etc/apps/snmp_ta/bin/mibs/ directory;
  5. Created and configured a new SNMP input: s7.postimg.org/eyn4d5mx7/snmp_cisco.png
  6. Tried to force the Cisco router to emit trap by updating its configuration with the write command. Though tcpdump does see a trap message coming, the Splunk doesn't capture it and I see no data in the Search app.

Also, python did complain about "more than 255 arguments" in CISCO-TC.py, so I had to comment IfOperStatusReason class' inner code. This shouldn't had an effect on my particular situation, though.

What should I do? Thanks in advance!

0 Karma
1 Solution

Damien_Dallimor
Ultra Champion

Have a look at the answer that was accepted in this question and see if that helps you : http://answers.splunk.com//answers/138848/snmp-traps-not-being-indexed-by-snmp-modular-input

View solution in original post

splunker12er
Motivator

I have configured the same as above . but still i cannot see traps in splunk search.
have done netstat -au - 162 port is listening.
host name i have set to exact IP of the search head as i given in the device.
rest other configs also done.

but still seeing no events 😞

0 Karma

Damien_Dallimor
Ultra Champion

Have a look at the answer that was accepted in this question and see if that helps you : http://answers.splunk.com//answers/138848/snmp-traps-not-being-indexed-by-snmp-modular-input

Damien_Dallimor
Ultra Champion

Nice. Please "accept" the answer above.

0 Karma

npichugin
Path Finder

Thank you! This thread helped me. Setting the trap listener to exactly the same value as it was set on the router resolved the issue.

0 Karma

Damien_Dallimor
Ultra Champion

1) are there any errors ? Search in "index=_internal ExecProcessor error snmp.py"

2) have you set the correct bind host for the trap listener ?

alt text

3) is the SNMP stanza you setup opening the port and listening ?

4) Have you specified the correct SNMP version ?

0 Karma

npichugin
Path Finder

1) I see only one error about "more than 255 arguments" there. After I (sort of) fixed it there were no more errors, and the snmp.py process started up successfully.
2) Yes, it's localhost
3) Yes, netstat -lnp | grep 162 confirms it
4) Yes

0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...