Re: Receiving SNMP alerts without a Data Input con...

erstexas · ‎11-01-2012

I am trying to stop indexing any SNMP traffic on UDP ports 161 and 162 and they are still coming in even though I do NOT have the ports configured on the Data Inputs page. Does anybody know how these alerts would still be coming in?

Also, I tried to manually ignore them with the documented props.conf and transforms.conf approach in the documentation and this is not working either. Here are the contents of this config:

-props.conf- (/opt/splunk/etc/system/local)

[source::udp:161]
TRANSFORMS-null= setnull

[source::udp:162]
TRANSFORMS-null= setnull

-transforms.conf- (/opt/splunk/etc/system/local)

[setnull]
REGEX = . (tried REGEX = (.) as well)
DEST_KEY = queue
FORMAT = nullQueue

And they are still coming in and getting indexed. Any ideas? I'm not sure where/why Splunk is still listening to these 2 ports and why the above approach is not working.

Any ideas?

gcoles · ‎11-02-2012

You can find out whether or not it is Splunk listening on udp:162 with the following command on any splunk server:

 $SPLUNK_HOME/splunk list udp

It is hard to answer further without knowing what your setup is, aka do you use forwarders, do you have an snmptrapd instance logging to files that are ingested by Splunk on the indexer or forwarders, etc. If you use forwarders, it is possible that they have an inputs.conf file somewhere in $SPLUNK_HOME/etc/apps that specifies listening on udp:162, which won't show up in your web UI on the indexer and/or search head(s).

mikelanghorst · ‎11-01-2012

What does the source say for those snmp events. Last I knew Splunk wouldn't receive them directly. Check your snmpd and snmptrapd configuration on the server to ensure they aren't logging to somewhere under /var/log.

Receiving SNMP alerts without a Data Input configured

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!