- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- snmp trap to CA spectrum
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I have the following information captured in splunk
rule=epm-rogue-mac-ep-epmacrogue subject=oper-state-change prevSeverity=warning created=2019-08-09T11:06:32.108+02:00 highestSeverity=warning lastTransition=2019-08-09T11:08:53.057+02:00 origSeverity=warning lc=raised domain=access childAction= ack=no occur=1 delegated=no type=operational descr=EP MAC 00:50:56:AB:68:DE is rogue on interface eth1/4 of Node 219, Pod 1 cause=ep-mac-is-rogue severity=warning code=F3014 changeSet=addr:00:50:56:AB:68:DE, createTs:2019-08-09T04:06:50.402+02:00, flags:local,mac,rogue, ifId:eth1/4, pcTag:32790 status= dn=topology/pod-1/node-219/sys/ctx-[vxlan-2097152]/bd-[vxlan-15400874]/vlan-[vlan-515]/db-ep/rogueMacEP-00:50:56:AB:68:DE/fault-F3014 apic_host=196.50.128.32 component=faultInst
Now for all the alerts for below query
index="cisco-aci" "cause=ep-mac-is-rogue"
I need to create an SNMP trap in spectrum . how can i achieve this ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Check out the app:
https://splunkbase.splunk.com/app/3291/#/details
OR create your own script as described:
https://docs.splunk.com/Documentation/Splunk/6.2.1/alert/SendingSNMPtrapstoothersystems
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks @solarboyz1
But looks like the script is not doing anything for me although the scirpt is getting invoked.
Can you help me with the sample script which is already modified.
As i am not sure how to test it.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ensure you did the following:
- Create the script in the $SPLUNK_HOME/bin/scripts directory. Create the directory if it doesn't already exist. Copy the code listed below into sendsnmptrap.pl.
- Run chmod on sendsnmptrap.pl to make the script executable.
- In the scrpt, change the Host:Port of the SNMP trap handler, the paths to the external commands splunk and snmptrap, and the user/password if necessary.
If those are good, you can test the script by executing, it's expecting 9 arguments:
$SPLUNK_HOME/bin/scripts/snmptrap.pl "9" "test" "test" "test" "test" "test" "test" "test" "tes"
The script should run, or output some sort of errors.
If the script runs correctly and you don't see the events in CA:
- tcpdump to verify you see trap being sent, if you don't see trap sent verify you have the snmptrap installed correctly
- Verify CA knows how to handle the configured OID and its not filtered.
- Verify the trap is not blocked between host -> CA
If the trap makes it to CA in test mode, but not when configured as an alert action:
- Verify the Splunk user has permissions to execute the script.
- Checked the savedsearch logs to see if any suppressions are being applied.
- Check internal logs for any errors related to the script or the search
* Check the search logs for any errors
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks a lot @solarboyz1 for such elaborate troubleshooting steps.
But i am stuck when the snmptrap command itself runs.
Looks like permission issue is with the permissions. Although it has execute permissions for all
-rwxr-xr-x 1 root root 14680 Oct 10 2012 /usr/bin/snmptrap
But its trying to do below which is failing as all are with root permissions and i am running it with splunk permissions.
Cannot rename /var/lib/net-snmp/snmpapp.conf to /var/lib/net-snmp/snmpapp.0.conf
Cannot unlink /var/lib/net-snmp/snmpapp.conf
read_config_store open failure on /var/lib/net-snmp/snmpapp.conf
read_config_store open failure on /var/lib/net-snmp/snmpapp.conf
read_config_store open failure on /var/lib/net-snmp/snmpapp.conf
sh: line 1: 1.3.6.1.4.1.27389.1.1.1: command not found
Do you suggest to change the permissions of the snmp files or directory or run as root ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Agree, your issue now deals with a non-root user trying to send an snmptrap.
Check out the following:
https://superuser.com/questions/795889/snmp-with-not-root-user
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Check out the app:
https://splunkbase.splunk.com/app/3291/#/details
OR create your own script as described:
https://docs.splunk.com/Documentation/Splunk/6.2.1/alert/SendingSNMPtrapstoothersystems
Splunk Custom Visualizations App End of Life
Introducing Splunk Enterprise 9.2
Adoption of RUM and APM at Splunk
