Getting Data In

Receiving SNMP alerts without a Data Input configured

erstexas
Path Finder

I am trying to stop indexing any SNMP traffic on UDP ports 161 and 162 and they are still coming in even though I do NOT have the ports configured on the Data Inputs page. Does anybody know how these alerts would still be coming in?

Also, I tried to manually ignore them with the documented props.conf and transforms.conf approach in the documentation and this is not working either. Here are the contents of this config:

-props.conf- (/opt/splunk/etc/system/local)

[source::udp:161]
TRANSFORMS-null= setnull

[source::udp:162]
TRANSFORMS-null= setnull

-transforms.conf- (/opt/splunk/etc/system/local)

[setnull]
REGEX = . (tried REGEX = (.) as well)
DEST_KEY = queue
FORMAT = nullQueue

And they are still coming in and getting indexed. Any ideas? I'm not sure where/why Splunk is still listening to these 2 ports and why the above approach is not working.

Any ideas?

0 Karma

gcoles
Communicator

You can find out whether or not it is Splunk listening on udp:162 with the following command on any splunk server:

 $SPLUNK_HOME/splunk list udp

It is hard to answer further without knowing what your setup is, aka do you use forwarders, do you have an snmptrapd instance logging to files that are ingested by Splunk on the indexer or forwarders, etc. If you use forwarders, it is possible that they have an inputs.conf file somewhere in $SPLUNK_HOME/etc/apps that specifies listening on udp:162, which won't show up in your web UI on the indexer and/or search head(s).

0 Karma

mikelanghorst
Motivator

What does the source say for those snmp events. Last I knew Splunk wouldn't receive them directly. Check your snmpd and snmptrapd configuration on the server to ensure they aren't logging to somewhere under /var/log.

Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...