SNMP Modular Input and Cisco Wireless and AIRESPAC...

jeremyarcher · ‎03-28-2015

I'm attempting to monitor wireless client information for my Cisco wireless environment. It appears that SNMP traps are the best solution for this (from what I've been told by Cisco) - although I'd be happy to hear of other ways to monitor my Wireless client data.

Therefore, I have configured my WLC to send SNMP traps to my Splunk instance. That works great but since I don't have the appropriate MIB information the data is mostly unusable.

I've downloaded the MIB file from here (the AIRESPACE-WIRELESS-MIB)
ftp://ftp.cisco.com/pub/mibs/supportlists/wlc/wlc-supportlist.html

I'm now attempting to build my python MIB file for the AIRESPACE-WIRELESS-MIB using:

build-pysnmp-mib -o AIRESPACE-WIRELESS-MIB.py AIRESPACE-WIRELESS-MIB.mib

I get an error when doing this so I've modified this line in the plain text MIB file:

AIRESPACE-WIRELESS-MIB DEFINITIONS ::= BEGIN

to

AIRESPACE-WIRELESS-MIB.mib DEFINITIONS ::= BEGIN

It then appears to run properly; no errors when running the biuld-pysnmp-mib. However, the outputted .py file is very small - around 850k and only contains data in the Imports section. I've attempted to add the .py file to the mibs directory on my Splunk server and add the appropriate MIB file name to the Splunk SNMP Modular Input configuration section but no luck.

Does anyone have a python AIRESPACE-WIRELESS-MIB or able to possibly point me in the right direction?

Thanks!

tomasmoser · ‎12-04-2017

I am having difficulties with compiling Cisco wireless MIBS too. This is really painful and I've tried everything. Nothing works:

root@CZ-SLG003:~/mibs/cisco/wlc/8.5/all# mibdump.py CISCO-LWAPP-DOT11-CLIENT-MIB.my
Source MIB repositories: file:///usr/share/snmp/mibs, http://mibs.snmplabs.com/asn1/@mib@
Borrow missing/failed MIBs from: http://mibs.snmplabs.com/pysnmp/notexts/@mib@
Existing/compiled MIB locations: pysnmp.smi.mibs, pysnmp_mibs
Compiled MIBs destination directory: /root/.pysnmp/mibs
MIBs excluded from code generation: INET-ADDRESS-MIB, PYSNMP-USM-MIB, RFC-1212, RFC-1215, RFC1065-SMI, RFC1155-SMI, RFC1158-MIB, RFC1213-MIB, SNMP-FRAMEWORK-MIB, SNMP-TARGET-MIB, SNMPv2-CONF, SNMPv2-SMI, SNMPv2-TC, SNMPv2-TM, TRANSPORT-ADDRESS-MIB
MIBs to compile: CISCO-LWAPP-DOT11-CLIENT-MIB
Destination format: pysnmp
Parser grammar cache directory: not used
Also compile all relevant MIBs: yes
Rebuild MIBs regardless of age: no
Dry run mode: no
Create/update MIBs: yes
Byte-compile Python modules: yes (optimization level no)
Ignore compilation errors: no
Generate OID->MIB index: no
Generate texts in MIBs: no
Keep original texts layout: no
Try various file names while searching for MIB module: yes
Created/updated MIBs:
Pre-compiled MIBs borrowed:
Up to date MIBs: BRIDGE-MIB, CISCO-LWAPP-DOT11-CLIENT-MIB, CISCO-LWAPP-DOT11-MIB, CISCO-LWAPP-MOBILITY-EXT-MIB, CISCO-LWAPP-RF-MIB, CISCO-LWAPP-TC-MIB, CISCO-LWAPP-WLAN-MIB, CISCO-SMI, CISCO-TC, ENTITY-MIB, IANAifType-MIB, IF-MIB, INET-ADDRESS-MIB, P-BRIDGE-MIB, Q-BRIDGE-MIB, RFC-1212, RFC-1215, RFC1155-SMI, RFC1213-MIB, RFC1271-MIB, RMON-MIB, RMON2-MIB, SNMP-FRAMEWORK-MIB, SNMPv2-CONF, SNMPv2-MIB, SNMPv2-SMI, SNMPv2-TC, TOKEN-RING-RMON-MIB
Missing source MIBs:
Ignored MIBs:
Failed MIBs: CISCO-LWAPP-AP-MIB (unknown type "(('Integer32', ''), [(u'true', 1), (u'false', 2)])" for defval "disable" of symbol "cLApCtsSxpMode" at MIB CISCO-LWAPP-AP-MIB)
root@CZ-SLG003:~/mibs/cisco/wlc/8.5/all#

jeremyarcher · ‎03-30-2015

Went another route on this.

Sent SNMP Traps and Syslogs from the WLC to our Solarwinds server (use whatever NMS you've got that can take in traps and parse them) then set it up to write the data to a log file on the local disk.

Then, installed the universal forwarder to forward data from that log file to Splunk.

jon_d_irish_ctr · ‎11-20-2015

So here is how I did it... I altered every one of my NPM alerts to have a trigger action that send out a syslog message to my syslog-ng server. I configured the syslog-ng server to store these new messages in their own directory. I then modified my inputs.conf file, for the universal forwarder on the syslog-ng server, to look at this new directory for data and assigned a sourcetype of "linux_messages_syslog". I am not sure if this is correct because I did not see any pre-defined sourcetypes for SolarWinds syslog. I then "fired" the NPM alerts and searched with splunk for data matching the sourcetype, and there it was! Thus, the NPM alerts poll the devices via SNMP, the alert then sends the results out via syslog, and now Splunk has SNMP data!

If anyone knows of a better sourcetype for SolarWinds syslog data, please let me know.

Jon

jon_d_irish_ctr · ‎11-20-2015

Hi Jeremy,
This sounds like something I would really like to do as well. When you say "set it up to write the data to a log file on the local disk", I assume you are referring to SNMP Traps coming into NPM? We don't use traps as we have NPM setup to actively poll everything via SNMP on timers. Do you know of a way to get NPM to write out the data to a log file so that a universal forwarder can then send it on to Splunk? I really don't want to have to configure traps on all out gear.

Thanks,
Jon

jeremyarcher · ‎11-20-2015

Jon,

I'm sorry, I do not know of a way to have NPM write the SNMP data to a log file.

jeremyarcher · ‎03-28-2015

Getting closer.. found that the issue is related specifically to the MIB and the build of the AIRESPACE-WIRELESS-MIB via smidump.

Will post final .py MIB once I have it. working.

nikkkc · ‎01-07-2016

did you solve your problems? I am also attempting to monitor wireless client information for my Cisco WLC
i compiled my Cisco Custom MIBs with pysmi from http://pysmi.sourceforge.net/ . This process seems to work but snmp.py fails after all.

SNMP Modular Input and Cisco Wireless and AIRESPACE-WIRELESS-MIB

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?