All Apps and Add-ons

SNMP Modular input : unable to get snmp traps

Motivator
  • Configured Cisco router to send traps to my Splunk, via port 162;
  • Installed SNMP add-on;
  • Downloaded SNMPv2-SMI,SNMPv2-TC,IANAifType-MIB,RFC1213-MIB,SNMPv2-MIB,SNMPv2-CONF,IF-MIB MIBs from Ciscowebsite and converted them to Python files by 'build-pysnmp-mib'- (Eg : SNMPv2-CONF.py,IF-MIB.py) Does this fine or needed compiled code ?
  • Moved the .py files to $SPLUNKROOT/etc/apps/snmpta/bin/mibs/ directory;
  • Created and configured a new SNMPinput. (inputs.conf)

    [snmp://readsnmp]
    do
    bulkget = 0
    host = 10.0.255.46
    listen
    traps = 1
    ipv6 = 0
    snmpmode = traps
    snmp
    version = 2C
    sourcetype = readsnmp
    split
    bulkoutput = 0
    trap
    host = 10.0.255.247
    trapport = 162
    v3
    authProtocol = usmHMACMD5AuthProtocol
    v3privProtocol = usmDESPrivProtocol
    mib
    names = SNMPv2-SMI,SNMPv2-TC,IANAifType-MIB,RFC1213-MIB,SNMPv2-MIB,SNMPv2-CONF,IF-MIB

Corrections made with splunk answers help :

  • Corrected the host name(localhost) to proper Ip address of the splunk host , as i set in the cisco router.
  • Updated the conf file with listen_traps = 1
  • Checked for errors with query : "index=_internal ExecProcessor error snmp.py"

Results: (from this error - should i need to correct something ? please advise !)

10.0.255.103 - admin [23/Oct/2014:14:37:56.321 +0000] "GET /en-US/api/shelper?snippet=true&snippetEmbedJS=false&namespace=search&search=search+index%3D_internal+ExecProcessor+error+snmp.py+&useTypeahead=true&useAssistant=true&showCommandHelp=true&showCommandHistory=true&showFieldInfo=false&_=1414075022892 HTTP/1.1" 200 748 "http://10.0.255.247:8000/en-US/app/search/search?q=search%20index%3D*%20host%3D%2210.0.255.46%22&earliest=&latest=&sid=1414075069.31" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.124 Safari/537.36" - 544912c4527fa79c57c0d0 130ms

10.0.255.103 - admin [23/Oct/2014:14:12:39.735 +0000] "GET /en-US/api/shelper?snippet=true&snippetEmbedJS=false&namespace=search&search=search+index%3D_internal+ExecProcessor+error+snmp.py+&useTypeahead=true&useAssistant=true&showCommandHelp=true&showCommandHistory=true&showFieldInfo=false&_=1414070887398 HTTP/1.1" 200 750 "http://10.0.255.247:8000/en-US/app/search/search?q=search%20index%20%3D*%20host%3D%2210.0.255.46%22&earliest=&latest=&sid=1414073547.86" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.124 Safari/537.36" - 54490cd7bc7f539012ba50 262ms

Still I could see any traps in search app 😞
Does any other thing to setup ?

Please help.

0 Karma

Contributor

Hi there,

today I installed the SPLUNK SNMP APP on our indexer/searchhead.
After I had restarted the splunk service I configured a stanza in inputs.conf to collect SNMP traps.

[snmp://TEST_EVENT]
communitystring = public
do_bulk_get = 0
do_get_subtree = 0
index = test
ipv6 = 0
snmp_mode = traps
snmp_version = 1
sourcetype = snmp
split_bulk_output = 0
trap_rdns = 1
v3_authProtocol = usmHMACMD5AuthProtocol
v3_privProtocol = usmDESPrivProtocol
trap_host = SERVERNAME
trap_port = 162

Behind that I configured a server to send traps to the Splunk SH/Indexer.

I checked the splunkd.log and found the following ERROR message.

01-15-2015 08:46:55.054 +0100 ERROR ExecProcessor - message from "python /splunk/opt/splunk/etc/apps/snmp_ta/bin/snmp.py" Failed to register transport and run dispatcher: bind() for (u'SERVERNAME', 162) failed: [Errno 98] Address already in use snmp_stanza:snmp://TEST_EVENT

I tried differnet trap_host definitions (SERVERNAME, IP address, SERVERNAME.domain). But nothing works.

Does anybody have had the same problems?
Could the problem occurs because of running snmptrapd and snmptt on the server?

snmp     14758     1  0 Jan14 ?        00:00:22 /usr/sbin/snmpd -Lsd -Lf /dev/null -u snmp -g snmp -I -smux mteTrigger mteTriggerConf -p /var/run/snmpd.pid
snmptt   14760     1  0 Jan14 ?        00:00:01 /usr/sbin/snmptrapd -Lsd -Lf /var/log/snmptt/snmptt.log -On -C -c /etc/snmp/snmptrapd.conf -p /var/run/snmptrapd.pid -u snmptt
root     17440     1  0 Jan14 ?        00:00:00 /usr/bin/perl /usr/sbin/snmptt --daemon
snmptt   17441 17440  0 Jan14 ?        00:00:05 /usr/bin/perl /usr/sbin/snmptt --daemon

I did this because my first try was to collect all the traps in a dedicated file and then read the file from splunk process.

It would be very nice if someone can help me and explain where the problem is.

0 Karma

Contributor

Me again,

I still have found out my mistake. As I said in my answer, I had to stop the snmptrapd process and now I see data in splunk.
But until I saw data in splunk search I have a problem with my custom MIB.
In the splunkd.log I got this error message:

01-15-2015 12:32:31.802 +0100 ERROR ExecProcessor - message from "python /splunk/opt/splunk/etc/apps/snmp_ta/bin/snmp.py" pysnmp.smi.error.SmiError: MIB module "/splunk/opt/splunk/etc/apps/snmp_ta/bin/mibs/SAATRAP.py" load error: ['Traceback (most recent call last):\n', '  File "/splunk/opt/splunk/etc/apps/snmp_ta/bin/pysnmp-4.2.5-py2.7.egg/pysnmp/smi/builder.py", line 255, in loadModules\n    exec(modData, g)\n', '  File "<string>", line 7, in <module>\n', '  File "/splunk/opt/splunk/etc/apps/snmp_ta/bin/pysnmp-4.2.5-py2.7.egg/pysnmp/smi/builder.py", line 294, in importSymbols\n    \'importSymbols: empty MIB module name\'\n', 'SmiError: importSymbols: empty MIB module name\n']

Is there a way to check my py file?
Is there another logfile where I can find some more Information?

Thanks.

0 Karma

Path Finder

I have nearly the same Errors:

01-05-2016 15:07:46.072 +0100 ERROR ExecProcessor - message from "python E:\Splunk\etc\apps\snmp_ta\bin\snmp.py" pysnmp.smi.error.SmiError: MIB module "E:\Splunk\etc\apps\snmp_ta\bin\mibs\CISCO-LWAPP-AP-MIB.py" load error: ['Traceback (most recent call last):\n', ' File "E:\\Splunk\\etc\\apps\\snmp_ta\\bin\\pysnmp-4.2.5-py2.7.egg\\pysnmp\\smi\\builder.py", line 255, in loadModules\n exec(modData, g)\n', ' File "<string>", line 10, in <module>\n', ' File "E:\\Splunk\\etc\\apps\\snmp_ta\\bin\\pysnmp-4.2.5-py2.7.egg\\pysnmp\\smi\\builder.py", line 306, in importSymbols\n \'No symbol %s::%s at %s\' % (modName, symName, self)\n', 'SmiError: No symbol CISCO-LWAPP-DOT11-MIB::cldRegulatoryDomain at <pysnmp.smi.builder.MibBuilder instance at 0x0000002099F4F5C8>\n']

did you solve your problem?

0 Karma

Motivator

Thanks Damien

0 Karma

Motivator

Yes. It actually works good. Prev , no traps were generated by the cisco , once I shutdown and on the IF , it sends some traps.

Thanks,

By the way , Can i set the inputs.conf in my heavy forwarder and forward the logs from the device to the forwarder-ip ? I don't want my search head to do this receiving job.

0 Karma

Ultra Champion

Yes , using a forwarder (heavy or universal) would be the recommended approach.

0 Karma

Ultra Champion

Can you confirm that port 162 is getting opened and listening ?

Try hostname rather than IP for binding ?

Can you see the actual traps being sent on the wire to the expected port/interface ? (ie: using wireshark)

0 Karma