ok. We have spent hours on trying to get our snmp logs into Splunk. Everyone should be aware of the Hell. First, for Windows, you must install net-snmp. But guess what? The latest net-snmp binary doesn't actually perform an install, so you must download an old binary. But guess what? The old binary requires gnu_regex. But guess what? The links to this product don't provide a usable zip file, so you must search via google for something comparable. But guess what? Then you need openssl, so you install that but guess what? There are other dlls that already exist on your Windows box and cause dll conflicts (remember dll hell?) You ignore that and go on, but net-snmp now needs something called ActivePearl. So you download that, but guess what? net-snmp is version specific, so you must uninstall and re-install an older version of ActivePearl. O.K. Now the net-snmp will not start with the older version you downloaded (some dll error) so you overlay the older version of net-snmp with the new version of the binaries. Don't forget to also install some Microsoft C++ distributable dlls.
Now. Try must configure that net-snmp bastard.
The documentation for net-snmp absolutely sucks. snmptrapd will not accept traps in a default configuration so you must go to the documentation which has very few examples. The assumption is that you are an snmp guru that loves reading about snmp config options. After an hour of trying to understand text configuration files with multiple internal dependencies, you get snmptrapd to accept a trap.
Great. Now you decide that it would be wise to put the snmp output to a dedicated drive. Guess what? I still have not figure that out!
The snmptrapd.conf help file makes you "guess" at the correct option. I am guessing the option is "logOption" but that sends you to another help file called snmpcmd that is written in binary. Good luck to any and all who want to use Splunk to actually capture the system logs from things like the UPS devices and HP Enclosures. Awful, awful, awful. I can't wait to try to configure other integrations with splunk. Really?
If my constant use of "guess what" annoys you. You have seen nothing until you try it yourself. Hours will be wasted.
So, the two real outstanding questions :
What do I put in the config file for net-snmp to make it automatically load all the mib files in the mib directory?
How do I change the output location for the logging of the traps received?
Sorry to hear you're having so much trouble with Net-SNMP. Just out of curiosity, have you tried it on a Linux machine? The Win32 version of Net-SNMP is a port of code that was originally written for Unix-like OSes. The fact that it is a somewhat difficult-to-wrangle port doesn't surprise me. Unless it is already pre-built for your operating system, you usually have to compile Net-SNMP from source code. This is where something like CentOS or Fedora has a big advantage, because they are much more likely to have easy one-click installs of working builds -- and have all the dependencies already sorted.
I realize the Splunk docs suggest the use of Net-SNMP, but that's not the only way to skin this cat. At the end of the day, Splunk does not "see" this data as SNMP - it sees it as text in a logfile. The
snmptrapd program is what is doing the data conversion from "SNMP trap on the wire" to "text file Splunk can process". If you can find another tool that fits your SNMP trap handling needs better, then as long as it can also write to a log file Splunk will be just as happy with it. In the past, I've used the SNMP trap daemon built into IpSwitch WhatsUp with some good success. I've never hooked it into Splunk, but I don't think the difficulty would be high.
I did two installs of net-snmp on Windows 2003 server - 1 for 32-bit while another 64-bit. I downloaded version 5.4 from mwong_splunk's link above and performed the installation. I did not need Activeperl or any other software.
After that and Splunk install as well as installing the MIB in Net-snmp in the default MIB location, I ran the snmptrapd from the command line window to verify it would work and no errors in MIB files. Afterwards, I created a scripted input in splunk that ran a batch file that ran snmptrapd as I ran it command line. This scripted input would run with time interval -1 so it ran all the time I configured the snmptrapd to send output to standard output (screen) so Splunk can capture it without sending it to a file.
For info, it that could help, here's my snmp configuration with net-snmp. Note that when you restart snmptrapd, the (input) file is wiped but splunk appears to manage it correctly. Also note there is no cleanup of that file.
==> /etc/snmp/snmp.conf <== mibdirs +/my/directory/containing/mibs/ mibs +ALL ==> /etc/snmp/snmptrapd.conf <== # uncomment the line below and comment the disableAuthotization directive # to enable "shared secret authentication" via community string # authCommunity log my_sharedsecret_community_string disableAuthorization yes # log traps to a file logOption f /my/path/to/the/logfile.log # recommended to have correct key/value pair extraction outputOption Q