Solved: SNMP Splunk MA App for Netcool is not sending trap...

HansK · ‎01-29-2019

We have installed "SNMP Splunk MA App for Netcool" on a new search head and linked the search head to the indexers.

An alert with the trigger action "Netcool Custom Modular Alert"has been created and all fieds have been filled.

We see a log entry in /opt/splunk/var/log/splunk/netcool_custom_modular_alert.log:
2019-01-28 07:59:02,230 INFO START
2019-01-28 07:59:02,230 INFO splunkapp:search, splunksearch:test_xxxxxx, snmp_serverip:172.22.171.164, snmp_port:162, snmp_community:xxxxx, snmp_hostname:, snmp_alertmessage:More than 1 release cause 5XX in last 30 minutes for customer xxxx xxxxx, snmp_severity:5, splunk_escalation:xxxxxxxx, splunk_payload:{u'configuration': {u'hostname': u'', u'enterpriseSNMPSpecificObjectID': u'9', u'customtext': u'', u'AlertKey': u'123456789', u'community': u'public', u'alertmessage': u'More than 1 release cause 5XX in last 30 minutes for customer xxxxxxxxxt', u'enterpriseSNMPObjectID': u'1.2.3.4.5.6.7.8', u'enterpriseSNMPSpecificTrapID': u'10', u'serverip': u'172.22.171.164:162', u'escalation': u'xxxxxxxxx', u'severity': u'5'}, u'results_link': u'http://xxxxxxxxx:8000/app/search/search?q=%7Cloadjob%20scheduler__admin__search__RMD510cd368a33d67d8...', u'server_uri': u'https://127.0.0.1:8089', u'results_file': u'/opt/splunk/var/run/splunk/dispatch/scheduler_adminsearchRMD510cd368a33d67d83_at_1548658740_9899/per_result_alert/tmp_0.csv.gz', u'result': {u'count(Q21_sip_dest_respcode)': u'2'}, u'sid': u'scheduleradminsearch_RMD510cd368a33d67d83_at_1548658740_9899', u'search_name': u'test_xxxxxxxl', u'server_host': u'xxxxxxxxxxxxx', u'search_uri': u'/servicesNS/nobody/search/saved/searches/test_xxxxxxx', u'session_key': u'd0X5lh5dXc7S9uTW^82E4eQ1l9z6jQpVjKhTm3xczVgILSEZjkVRvHf6z2QXOvv9MR197IjzD5_50uJ0anuIwvZwuYFGTcSmBuuI^L9QsYNPmwZKFplYgJPy8VbVPC^i1W82Gfvt8FY', u'app': u'search', u'owner': u'admin'}, splunk_customtext:
2019-01-28 07:59:02,272 INFO STOP

We receive nothing at the dest ip 172.22.171.164:162

Also nothing is seen on the wire with tcpdump (other snmp sending procs on this server do work and are seen on the wire):
tcpdump -i any -s 0 host 172.22.171.164 and port 162

HansK · ‎01-31-2019

Well found the answer:
In the alert it says "Specify Your Unique Enterprise OID. Example: 1.2.3.4.5.6.7.8"

When using this sample OID nothing gets sent out, when you change it to a valid OID like 1.3.6.1.2.1.43.18.2.0.1 it starts working.

View solution in original post

HansK · ‎01-31-2019

Well found the answer:
In the alert it says "Specify Your Unique Enterprise OID. Example: 1.2.3.4.5.6.7.8"

When using this sample OID nothing gets sent out, when you change it to a valid OID like 1.3.6.1.2.1.43.18.2.0.1 it starts working.

wluca · ‎01-31-2019

well done HansK

petom · ‎01-30-2019

Is there a firewall between your search head and Netcool SNMP probe?
Either local, OS firewall (iptables) or external in the path between the search head and the probe.

HansK · ‎01-31-2019

There are no firewalls.
But the problem is there is nothing leaving the machine:
If i send a snptrap on the cli (snmptrap -c public -v 2c 172.22.171.164 "" 1.3.6.1.2.1.43.18.2.0.1) it gets caught by : tcpdump -i any -s 0 host 172.22.171.164 and port 162

None of the alerts using the netcool app send anything , although logs do appear in /opt/splunk/var/log/splunk/netcool_custom_modular_alert.log, tcpdump locally sees nothing going out.

HansK · ‎01-29-2019

OS Centos7
Splunk version 7.2.3

SNMP Splunk MA App for Netcool is not sending traps

Observability Unlocked: Kubernetes Monitoring with Splunk Observability Cloud

Wrapping Up Cybersecurity Awareness Month

🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2

Are you a member of the Splunk Community?

SNMP Splunk MA App for Netcool is not sending traps

Observability Unlocked: Kubernetes Monitoring with Splunk Observability Cloud

Wrapping Up Cybersecurity Awareness Month

🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2