Getting Data In

Best Practices for SNMP traps from Universal Forwarder

thefilmguy
New Member

I am trying to send SNMP traps from Cisco wireless controllers to our universal forwarder which has net-snmp installed. While I have it working and data is getting to the indexer, I have a few problems listed below. Note that I cannot send traps directly to splunk. All data needs to hit the UF first.

SNMP output is not clean
With the STRING, INTEGER, and other random output between the key values, it's causing Splunk to incorrectly parse them. A hacky way would be for me to use SEDCMD to remove this data in props.conf but it is not working. My assumption is SEDCMD does not work on a Windows indexer but I've been told it should. Is there a better way with net-snmp to prevent this?

2019-12-27 10:14:28 Agent_Address = 0.0.0.0
Agent_Hostname = UDP: [10.20.20.10]:44369->[10.20.20.200]:162
PDU_Attribute_Value_Pair_Array:
sysUpTimeInstance = Timeticks: (1440866000) 166 days, 18:24:20.00
snmpTrapOID.0 = OID: bsnDot11StationAssociate
bsnStationAPMacAddr.0 = STRING: 5c:83:8f:79:6d:40
bsnStationAPIfSlotId.0 = INTEGER: 1
bsnUserIpAddress.0 = IpAddress: 10.20.196.141
bsnStationUserName.0 = STRING: limguest
bsnStationMacAddress.0 = STRING: 78:7e:61:d1:d0:f8
bsnAPName.0 = STRING: "uslcoAP2302"
---

Breaker lines not working
I am having multiple events appear under a single event in Splunk.

props.conf

[snmptrapd]
DATETIME_CONFIG =
KV_MODE = none
LINE_BREAKER = ([\r\n]+)Agent_Address\s=
MAX_TIMESTAMP_LOOKAHEAD = 60
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = false
TIME_FORMAT = %Y-%m-%d %H:%M:%S
TIME_PREFIX = Date\s=\s
TZ = UTC
category = Custom
description = parse snmptrapd logging with custom kvpair splunk formatting
disabled = false
pulldown_type = true
EXTRACT-node = ^[^\[\n]*\[(?P<node>[^\]]+)
REPORT-snmptrapd = snmptrapd_kv
0 Karma
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!