Getting Data In

Best Practices for SNMP traps from Universal Forwarder

thefilmguy
New Member

I am trying to send SNMP traps from Cisco wireless controllers to our universal forwarder which has net-snmp installed. While I have it working and data is getting to the indexer, I have a few problems listed below. Note that I cannot send traps directly to splunk. All data needs to hit the UF first.

SNMP output is not clean
With the STRING, INTEGER, and other random output between the key values, it's causing Splunk to incorrectly parse them. A hacky way would be for me to use SEDCMD to remove this data in props.conf but it is not working. My assumption is SEDCMD does not work on a Windows indexer but I've been told it should. Is there a better way with net-snmp to prevent this?

2019-12-27 10:14:28 Agent_Address = 0.0.0.0
Agent_Hostname = UDP: [10.20.20.10]:44369->[10.20.20.200]:162
PDU_Attribute_Value_Pair_Array:
sysUpTimeInstance = Timeticks: (1440866000) 166 days, 18:24:20.00
snmpTrapOID.0 = OID: bsnDot11StationAssociate
bsnStationAPMacAddr.0 = STRING: 5c:83:8f:79:6d:40
bsnStationAPIfSlotId.0 = INTEGER: 1
bsnUserIpAddress.0 = IpAddress: 10.20.196.141
bsnStationUserName.0 = STRING: limguest
bsnStationMacAddress.0 = STRING: 78:7e:61:d1:d0:f8
bsnAPName.0 = STRING: "uslcoAP2302"
---

Breaker lines not working
I am having multiple events appear under a single event in Splunk.

props.conf

[snmptrapd]
DATETIME_CONFIG =
KV_MODE = none
LINE_BREAKER = ([\r\n]+)Agent_Address\s=
MAX_TIMESTAMP_LOOKAHEAD = 60
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = false
TIME_FORMAT = %Y-%m-%d %H:%M:%S
TIME_PREFIX = Date\s=\s
TZ = UTC
category = Custom
description = parse snmptrapd logging with custom kvpair splunk formatting
disabled = false
pulldown_type = true
EXTRACT-node = ^[^\[\n]*\[(?P<node>[^\]]+)
REPORT-snmptrapd = snmptrapd_kv
0 Karma
Get Updates on the Splunk Community!

Index This | A sphere has three, a circle has two, and a point has zero. What is it?

September 2023 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Build Scalable Security While Moving to Cloud - Guide From Clayton Homes

 Clayton Homes faced the increased challenge of strengthening their security posture as they went through ...

Mission Control | Explore the latest release of Splunk Mission Control (2.3)

We’re happy to announce the release of Mission Control 2.3 which includes several new and exciting features ...