All Apps and Add-ons
Highlighted

SNMP Traps not being parsed properly

I am trying to collect the traps from a UPS device. When I installed my app on my development instance which is a standalone environment, I was able to collect the data properly.

I then tried to ingest the data to our production environment which is a clustered environment (multiple indexers, search heads and heavy forwarders). I have installed the SNMP TA on one of the Heavy forwarder and all the search heads [SNMP TA is not present on indexers]. From UPS, I am sending the traps to a heavy forwarder and heavy forwrarder is in-turn ingesting it to our indexers. Ports are opened. I am able to receive the data but the data is not being parse properly. I am getting some garbage symbols and values. I have placed a custom MIB for APC UPS in the mibs directory of the app on the Heavy forwarder.

I saw that few people have said that by changing the trap_host in the inputs.conf stanza to DNS or IP has resolved their issue. I tried that as well but still has no luck.

Could you please let me know if I have missed any steps here?

0 Karma
Highlighted

Re: SNMP Traps not being parsed properly

SplunkTrust
SplunkTrust

In terms of dev and prod, are they diff ones - e.g. aws ec2 for dev and a RHEL for prod? in your prod, do you have DNS/IP resolution ( assuming this works in dev and not in prod per your notes above)? what TA are you using?

0 Karma
Highlighted

Re: SNMP Traps not being parsed properly

My dev instance is running on Rhel 7 and my production is running on Rhel 6.

Yes I do have DNS/IP resolution on both my dev and production. I have verified this using nslookup on both my boxes.

I am using SNMP TA (modular input).
In the app, they have mentioned that by default all the events will be ingested to snmp_ta so I did not create any new sourcetypes.
I am not sure if the data that is being ingested in my prod is being encrypted (don't know how to verify this either). The data that is being ingested in my production looks like this.

0e
0aztec\xA7s0c#

0e
0aztec\xA7s0b\xA2
0e
0aztec\xA7s0b\xBA
0e

0 Karma
Highlighted

Re: SNMP Traps not being parsed properly

SplunkTrust
SplunkTrust

I assume you have followed through the documentation in https://splunkbase.splunk.com/app/1537/#/details and loaded activation keys. Are you seeing any errors in 'splunkd.log'?

0 Karma
Highlighted

Re: SNMP Traps not being parsed properly

Yes I did follow the same documentation. The only error in Splunkd on the production box is
"message from "python /opt/splunk/etc/apps/snmpta/bin/snmp.py" No SNMP response received before timeout snmpstanza:snmp://test"

I did a btool on snmp://test but that did not yield any result.

0 Karma
Highlighted

Re: SNMP Traps not being parsed properly

SplunkTrust
SplunkTrust

message seems to indicate you are not receiving the TRAPs in prod before time out.. do you have connectivity? or perhaps increase timeout to test?

0 Karma
Highlighted

Re: SNMP Traps not being parsed properly

yes we do have connectivity. There are no configurations set for snmp:test because I verified using btool and no result came back.

I do not see any configurations that I can do to increase the timeout from UI. I configured all my inputs using Data Inputs --> SNMP UI option. I do not see any configs related to timeout. Can you please suggest where else I should be increasing the timeout?

0 Karma
Highlighted

Re: SNMP Traps not being parsed properly

SplunkTrust
SplunkTrust

there is an option in inputs.conf for timeout - default is 1 sec.. Pls check etc/apps/snmp_ta/README/inputs.conf.spec for all available settings.

0 Karma
Highlighted

Re: SNMP Traps not being parsed properly

I have set the timeout to 15 seconds now. Still not seeing the data in proper format. I am still getting timeout.

0 Karma
Highlighted

Re: SNMP Traps not being parsed properly

Engager

Hi, if you werent abe to fix it yet, what you neet to do is in snmm modular input write the splunk server ip on the trap listener port. let me know if ot works

0 Karma