We have a SAP platform sending SNMP traps to a Splunk host. We have configured the net-snmp service to capture those traps and save them to a file which Splunk will then monitor.
The service is catching and saving the traps but it is not translating the OIDs into their names. We have imported the MIB file and if I manually run a snmp translate command against any of the OIDs in the traps we are capturing I am able to successfully translate it.
Is it possible for this service to translate them before saving to file?
Can anyone provide me with a step by step guide on how to configure snmp, as its a nightmare to find anything decent online?
Are there any better ways of doing this? We don't want to use the Splunk SNMP modular input as it's badly documented, we don't know how to configure it and we want the SNMP capture to be independent of Splunk for resilience.
We had to mess something up the first time we tried to configure the SNMP trap. We wiped the config, started again and now its working fine.
We used the following instructions to configure it:
SNMP Trap setup with custom MIB for SAP:s · Install both net-snmp and net-snmp-utils: sudo yum install -y net-snmp net-snmp-utils · Copy the *MIB.txt file to /usr/share/snmp/mibs/ (where the inbuilt ones reside) · Configure the authCommunity variable in /etc/snmp/snmptrapd.conf: authCommunity log public · Add the start-up options for the snnmptrapd process in /etc/sysconfig/snmptrapd, referencing the SAP MIB (via the name specified in the Definitions line in the file, not the file name: OPTIONS="-A -Lf /var/log/snmptrapd.log -m SAP-MIB -p /var/run/snmptrapd.pid" · Start the snmptrapd and snmpd services: service snmptrapd start service snmd start · Check /var/log/snmptrapd.log for an initial start-up message displaying the NET-SNMPD version · Test to see if we can internally send SNMP traffic to the trap, replacing the IP address: snmptrap -v 1 -c public x.x.x.x .22.214.171.124.1.14 "" 0 0 coldStart.0s · A corresponding entry should appear in /var/log/snmptrapd.log: 2015-08-09 09:50:12 0.0.0.0(via UDP: [10.185.11.50]:64763->[10.185.11.50]) TRAP, SNMP v1, community public SNMP traffic should now be received on port 162, the field names should be converted from numerical codes like .126.96.36.199.1.14 into field names
awesome. Thanks a lot for this. I did the same with other traps. The issue that I had was that the mib didn't get compiled in because of ASN.1 syntax issues.
yeah we still have the strange issue that when I try to run the snmptranslate command to try to translate one of the OIDs it doesn't work now (when it did before) but at least the traps that are being saved to a file are being translated. That is all I care about.
I need to get printer snmp data to splunk, can anybody explain step by step procedure.