Getting Data In

snmp trap to CA spectrum

surekhasplunk
Communicator

Hi,

I have the following information captured in splunk

rule=epm-rogue-mac-ep-epmacrogue    subject=oper-state-change   prevSeverity=warning    created=2019-08-09T11:06:32.108+02:00   highestSeverity=warning lastTransition=2019-08-09T11:08:53.057+02:00    origSeverity=warning    lc=raised   domain=access   childAction=    ack=no  occur=1 delegated=no    type=operational    descr=EP MAC 00:50:56:AB:68:DE is rogue on interface eth1/4 of Node 219, Pod 1  cause=ep-mac-is-rogue   severity=warning    code=F3014  changeSet=addr:00:50:56:AB:68:DE, createTs:2019-08-09T04:06:50.402+02:00, flags:local,mac,rogue, ifId:eth1/4, pcTag:32790   status= dn=topology/pod-1/node-219/sys/ctx-[vxlan-2097152]/bd-[vxlan-15400874]/vlan-[vlan-515]/db-ep/rogueMacEP-00:50:56:AB:68:DE/fault-F3014   apic_host=196.50.128.32 component=faultInst

Now for all the alerts for below query
index="cisco-aci" "cause=ep-mac-is-rogue"

I need to create an SNMP trap in spectrum . how can i achieve this ?

Tags (2)
0 Karma
1 Solution

surekhasplunk
Communicator

Thanks @solarboyz1

But looks like the script is not doing anything for me although the scirpt is getting invoked.

Can you help me with the sample script which is already modified.
As i am not sure how to test it.

0 Karma

solarboyz1
Builder

Ensure you did the following:

  • Create the script in the $SPLUNK_HOME/bin/scripts directory. Create the directory if it doesn't already exist. Copy the code listed below into sendsnmptrap.pl.
  • Run chmod on sendsnmptrap.pl to make the script executable.
  • In the scrpt, change the Host:Port of the SNMP trap handler, the paths to the external commands splunk and snmptrap, and the user/password if necessary.

If those are good, you can test the script by executing, it's expecting 9 arguments:

$SPLUNK_HOME/bin/scripts/snmptrap.pl "9" "test" "test" "test" "test" "test" "test" "test" "tes"

The script should run, or output some sort of errors.

If the script runs correctly and you don't see the events in CA:
- tcpdump to verify you see trap being sent, if you don't see trap sent verify you have the snmptrap installed correctly
- Verify CA knows how to handle the configured OID and its not filtered.
- Verify the trap is not blocked between host -> CA

If the trap makes it to CA in test mode, but not when configured as an alert action:
- Verify the Splunk user has permissions to execute the script.
- Checked the savedsearch logs to see if any suppressions are being applied.
- Check internal logs for any errors related to the script or the search
* Check the search logs for any errors

0 Karma

surekhasplunk
Communicator

Thanks a lot @solarboyz1 for such elaborate troubleshooting steps.

But i am stuck when the snmptrap command itself runs.
Looks like permission issue is with the permissions. Although it has execute permissions for all
-rwxr-xr-x 1 root root 14680 Oct 10 2012 /usr/bin/snmptrap

But its trying to do below which is failing as all are with root permissions and i am running it with splunk permissions.

Cannot rename /var/lib/net-snmp/snmpapp.conf to /var/lib/net-snmp/snmpapp.0.conf
Cannot unlink /var/lib/net-snmp/snmpapp.conf
read_config_store open failure on /var/lib/net-snmp/snmpapp.conf
read_config_store open failure on /var/lib/net-snmp/snmpapp.conf
read_config_store open failure on /var/lib/net-snmp/snmpapp.conf
sh: line 1: 1.3.6.1.4.1.27389.1.1.1: command not found

Do you suggest to change the permissions of the snmp files or directory or run as root ?

0 Karma

solarboyz1
Builder

Agree, your issue now deals with a non-root user trying to send an snmptrap.

Check out the following:
https://superuser.com/questions/795889/snmp-with-not-root-user

0 Karma

solarboyz1
Builder
0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...

Index This | Divide 100 by half. What do you get?

November 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

❄️ Celebrate the season with our December lineup of Community Office Hours, Tech Talks, and Webinars! ...