Hi All, I have told to configure one of the Heavy forwarder instance to receive and index the CISCO prime traps. i had gone through the links https://docs.splunk.com/Documentation/Splunk/6.5.0/Data/SendSNMPeventstoSplunk provide in the splunk documentation.
but I am not sure how to install / configure the snmptrapd to capture the remote data.
Question:
1) From where I need to download the snmptrapd ? Please provide me the link.
2) My Heavy forwarder running on top of Linux version "Red Hat Enterprise Linux Server release 7.3 (Maipo)" 64 bit OS, so what version of snmptrapd will be compatible ?
3) How to configure the snmptrapd to capture from cisco prime traps? where to configure this two stanza in snamptrapd.
snmptrapd -Lf /var/log/snmp-traps
snmptrapd -Lf /var/log/snmp-traps --disableAuthorization=yes
4) Once snaptrapd is configured, I will be configuring the below inputs.conf stanza, so that splunk can read the trap from this location in heavyforwarder.
inputs.conf
[monitor:///var/log/snmp-traps*]
index=network
sourcetype=network:cisco:primesnmp
Kindly guide me on the above questions.
You need the SNMP Modular Input
app by @damiendallimore:
https://splunkbase.splunk.com/app/1537/
Hi Woodcock, thanks for your support on this, yes i have gone through the link but my requirement is to configure one of the splunk Heavy forwarder instances to receive and index the CISCO prime traps and at the same time I need to have this index=network and sourcetype=network:cisco:primesnmp details configured in inputs.conf stanza.
Kindly guide me whether we can do this via SNMP Modular Input app.
Hi Woodcock, I tried to install the app from splunk base on my test machine, after installing the app, I had followed the below steps to capture the CISCO PRIME SNMP traps.
Steps:
1) Manager-->settings-->datainputs--snmp--new
2) SNMP Mode was set as "Listen for traps"
3) SNMP Version kept as "2c"
4) Community String as "Public"
5) Custom MIBs - "Left Blank"
6) Custom Response Handling
Response Handler --> Left Blank
Response Handler Arguments --> Left Blank
7) SNMP Trap listener settings
TRAP listener host " 10.X.X.X" --> Heavy Forwarder IP Address
TRAP listener port "162"
😎 Reverse DNS lookup of trap sources. --> Left this option "unchecked"
9) Source type set to Manual
10) sourcetype : network:cisco:primesnmp
11) More settings -- > In this setting, I would like to set the index name as network.
Question :
1)How to set the index=network in the more settings ?
2) After saving the settings where I can see the inputs.conf stanza in this app. I mean from /opt/splunk/etc/apps/snmp_ta
3) Which option is better to capture the snmp traps, whether by using the snmptrapd or by using this app.
Kindly guide me on this.
thanks in advance.
@Hemnaath Custom MIBs - you may get from source Cisco device's management portal - download them and place them to your splunk instance machine (HF) at snmp_ta/bin/mibs location
1)How to set the index=network in the more settings ?
Under more settings - to highlight 'network' as index name - you first have to create this 'network' index on splunk. indexer.
Go to indexer machine Settings > indexes > create new index > name and give location of hot/warm/cold buckets.
now come to snmp settings page and then you will get "network" as index listed under this.
2) After saving the settings where I can see the inputs.conf stanza in this app. I mean from /opt/splunk/etc/apps/snmp_ta
/opt/splunk/etc/apps/snmp_ta
inside this location, create a new directory named 'local'
create a new file here and name it "inputs.conf" for any data collection
3) Which option is better to capture the snmp traps, whether by using the snmptrapd or by using this app.
Both ways are right - use one which suits your requirements. I would prefer app.
hi saurabh, In our production environment we have already indexing other network related device data in to the index=network.
But when I tested in my personal laptop after providing the required details I could see the inputs.conf file being placed under this folder /opt/splunk/etc/apps/launcher/local/inputs.conf. can I copy the same and place it in the /opt/splunk/etc/apps/snmp_ta/local/inputs.conf.
I am not sure about the custom MIB, So can I leave that option blank will there be any impact because of it.
Please guide me whether the above steps are correct to capture the remote CISCO prime snmp into the Heavy forwarder instance using the app.
thanks in advance.
MIB is about explanation of some codes.. like http 200 means OK. It adds value for sake of better understanding and clarity. \
steps seems to be correct.
Hi All, I have successfully download and installed the snmptrap with the help of linux administrator.
From the below site you can download the snmptrapd.rpm for "Red Hat Enterprise Linux Server release 7.3 (Maipo)" 64 bit OS.
http://rpm.pbone.net/index.php3
Questions :
1) Should I need add any other configuration details in /etc/snmp/snmptrapd.conf
snmpTrapdAddr udp:127.0.0.1:162,udp6:[::1]:162
doNotLogTraps no
authCommunity log,execute,net solarwinds
disableAuthorization no
2) What configuration details should be added under this file /etc/sysconfig/snmptrapd.
OPTIONS="-Lsd"
Kindly guide me on this.
thanks in advance
Hi Woodcock, hey I had downloaded the snmptrapd from this link https://sourceforge.net/projects/net-snmp/files/net-snmp/5.7.3/ but I am not sure how to install this package in linux os .
"Download net-snmp-5.6.1.1-1.x86.exe (4.2 MB)"
Kindly let me know how to install this in linux
@Hemnaath -
you are using Red Hat Enterprise Linux Server release 7.3 (Maipo)" 64 bit OS on HF. then .exe fileformat is not for you.
You may download some .gz file version which you can untar in linux OS
tar xvzf -C
Hi saurabh , thanks for your support, can you please provide me the link and exact file to download from the site.
thank in advance
Hi All, Can any one guide me on this ?????