All Apps and Add-ons

SNMP Modular Input: Why am I unable to capture any traps from a Cisco device?

npichugin
Path Finder

Hello,

I'm trying to capture traps from a Cisco router with SNMP Modular Input add-on. Here's what I did so far:

  1. Configured Cisco router to send all possible traps to my Splunk host, port 162;
  2. Installed SNMP add-on;
  3. Downloaded CISCO-SMI, CISCO-TC, CISCO-CONFIG-MAN-MIB MIBs from Cisco website and converted them to Python modules as described in SNMP add-on documentation;
  4. Moved them to the $SPLUNK_ROOT/etc/apps/snmp_ta/bin/mibs/ directory;
  5. Created and configured a new SNMP input: s7.postimg.org/eyn4d5mx7/snmp_cisco.png
  6. Tried to force the Cisco router to emit trap by updating its configuration with the write command. Though tcpdump does see a trap message coming, the Splunk doesn't capture it and I see no data in the Search app.

Also, python did complain about "more than 255 arguments" in CISCO-TC.py, so I had to comment IfOperStatusReason class' inner code. This shouldn't had an effect on my particular situation, though.

What should I do? Thanks in advance!

0 Karma
1 Solution

Damien_Dallimor
Ultra Champion

Have a look at the answer that was accepted in this question and see if that helps you : http://answers.splunk.com//answers/138848/snmp-traps-not-being-indexed-by-snmp-modular-input

View solution in original post

splunker12er
Motivator

I have configured the same as above . but still i cannot see traps in splunk search.
have done netstat -au - 162 port is listening.
host name i have set to exact IP of the search head as i given in the device.
rest other configs also done.

but still seeing no events 😞

0 Karma

Damien_Dallimor
Ultra Champion

Have a look at the answer that was accepted in this question and see if that helps you : http://answers.splunk.com//answers/138848/snmp-traps-not-being-indexed-by-snmp-modular-input

Damien_Dallimor
Ultra Champion

Nice. Please "accept" the answer above.

0 Karma

npichugin
Path Finder

Thank you! This thread helped me. Setting the trap listener to exactly the same value as it was set on the router resolved the issue.

0 Karma

Damien_Dallimor
Ultra Champion

1) are there any errors ? Search in "index=_internal ExecProcessor error snmp.py"

2) have you set the correct bind host for the trap listener ?

alt text

3) is the SNMP stanza you setup opening the port and listening ?

4) Have you specified the correct SNMP version ?

0 Karma

npichugin
Path Finder

1) I see only one error about "more than 255 arguments" there. After I (sort of) fixed it there were no more errors, and the snmp.py process started up successfully.
2) Yes, it's localhost
3) Yes, netstat -lnp | grep 162 confirms it
4) Yes

0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...