All Apps and Add-ons

SNMP Modular Input: Why am I unable to capture any traps from a Cisco device?

npichugin
Path Finder

Hello,

I'm trying to capture traps from a Cisco router with SNMP Modular Input add-on. Here's what I did so far:

  1. Configured Cisco router to send all possible traps to my Splunk host, port 162;
  2. Installed SNMP add-on;
  3. Downloaded CISCO-SMI, CISCO-TC, CISCO-CONFIG-MAN-MIB MIBs from Cisco website and converted them to Python modules as described in SNMP add-on documentation;
  4. Moved them to the $SPLUNK_ROOT/etc/apps/snmp_ta/bin/mibs/ directory;
  5. Created and configured a new SNMP input: s7.postimg.org/eyn4d5mx7/snmp_cisco.png
  6. Tried to force the Cisco router to emit trap by updating its configuration with the write command. Though tcpdump does see a trap message coming, the Splunk doesn't capture it and I see no data in the Search app.

Also, python did complain about "more than 255 arguments" in CISCO-TC.py, so I had to comment IfOperStatusReason class' inner code. This shouldn't had an effect on my particular situation, though.

What should I do? Thanks in advance!

0 Karma
1 Solution

Damien_Dallimor
Ultra Champion

Have a look at the answer that was accepted in this question and see if that helps you : http://answers.splunk.com//answers/138848/snmp-traps-not-being-indexed-by-snmp-modular-input

View solution in original post

splunker12er
Motivator

I have configured the same as above . but still i cannot see traps in splunk search.
have done netstat -au - 162 port is listening.
host name i have set to exact IP of the search head as i given in the device.
rest other configs also done.

but still seeing no events 😞

0 Karma

Damien_Dallimor
Ultra Champion

Have a look at the answer that was accepted in this question and see if that helps you : http://answers.splunk.com//answers/138848/snmp-traps-not-being-indexed-by-snmp-modular-input

View solution in original post

Damien_Dallimor
Ultra Champion

Nice. Please "accept" the answer above.

0 Karma

npichugin
Path Finder

Thank you! This thread helped me. Setting the trap listener to exactly the same value as it was set on the router resolved the issue.

0 Karma

Damien_Dallimor
Ultra Champion

1) are there any errors ? Search in "index=_internal ExecProcessor error snmp.py"

2) have you set the correct bind host for the trap listener ?

alt text

3) is the SNMP stanza you setup opening the port and listening ?

4) Have you specified the correct SNMP version ?

0 Karma

npichugin
Path Finder

1) I see only one error about "more than 255 arguments" there. After I (sort of) fixed it there were no more errors, and the snmp.py process started up successfully.
2) Yes, it's localhost
3) Yes, netstat -lnp | grep 162 confirms it
4) Yes

0 Karma
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!