Getting Data In

snmpget, snmptrap - Splunk and SNMP polling

splunker30039
Path Finder

I am looking for resources on how to poll e.g. Cisco ASA firewalls via snmp (snmpget) from Splunk. I would like to pull things like interface usage, RAM usage, CPU usage etc, anything that can be gathered via SNMP.

Is it something along the lines of scripting snmpgets, writing output into a file on the splunk server and then pulling the data out?

Does anyone have any good examples for this?

Damien_Dallimor
Ultra Champion

bmacias84
Champion

Here is a simple quick and dirty prototype of an snmp manager I've written using pysnmp.


from pysnmp.entity import engine, config
from pysnmp.carrier.asynsock.dgram import udp
from pysnmp.entity.rfc3413 import cmdgen
from pysnmp.smi import builder, view, error
from time import localtime, strftime
import sys, os

parses response from getoidval

def cbFun(sendRequestHandle, errorIndication, errorStatus, errorIndex,varBinds, cbCtx):
cbCtx['errorIndication'] = errorIndication
cbCtx['errorStatus'] = errorStatus
cbCtx['varBinds'] = varBinds
return 1 # will countine if using bulk or next

gets oid and value

def getoidval(agentname, params, communitystr, targetadd, targetport, targetoid):
snmpEngine = engine.SnmpEngine()
#transport and snmpv2 setup
config.addV1System(snmpEngine, agentname, communitystr)
config.addTargetParams(snmpEngine, params, agentname, 'noAuthNoPriv', 1)
config.addTargetAddr( snmpEngine, targetname, config.snmpUDPDomain,(targetadd, targetport), params)
config.addSocketTransport(snmpEngine,config.snmpUDPDomain,udp.UdpSocketTransport().openClientMode())

#test = cmdgen.NextCommandGenerator().sendReq(snmpEngine, targetname, ((targetoid, None),), cbFun)
cbCtx = {}
cmdgen.GetCommandGenerator().sendReq(snmpEngine, targetname, ((targetoid, None),), cbFun, cbCtx)

snmpEngine.transportDispatcher.runDispatcher()
return  cbCtx

generates tsv file for all oid give for target

def gensnmbtsv(agentname, params, communitystr, targetadd, targetport, lstoid,basepath, filename):
mibView = view.MibViewController(mibBuilder)
lstreturn = []
localdate = strftime("_%Y-%m%d", localtime())
timestamp = strftime("%Y-%m-%d\t%H:%M\t",localtime())
header = 'date time\t'
value = timestamp
tsvname = basepath + filename + localdate + '.tsv'
errname= basepath + filename + 'Err.log'
for targetoid in lstoid:

dictoidval = {}
returnoid = getoidval(agentname, params, communitystr, targetadd, targetport, targetoid)
if returnoid['errorIndication']:
errfile = open(errname, 'a')
errfile.write(timestamp+str(returnoid['errorIndication']) + '\n')
print str(returnoid['errorIndication'])
errfile.close()
sys.exit(12)
elif returnoid['errorStatus']:
errfile = open(errname, 'a')
errfile.write(timestamp+str(returnoid['errorStatus']) + '\n')
print str(returnoid['errorStatus'])
errfile.close()
sys.exit(12)
else:
try:
oid, labels, suffix = mibView.getNodeName(returnoid['varBinds'][0][0])
dictoidval[labels[-1]] = str(returnoid['varBinds'][0][1])
lstreturn.append(dictoidval)
except:
print 'Unable to find label associated with oid. Make sure you have loaded all necessary .py MIB definitions. This can done by using builder.MibBuilder().loadModules.'
sys.exit(12)
for i in range(len(lstreturn)):
header += lstreturn[i].keys()[0] + '\t'
value += lstreturn[i].values()[0] + '\t'
tsvfile = basepath + filename + localdate
if not (os.path.exists(tsvname)):
tsvfile =open(tsvname, 'w')
tsvfile.write(header.lower() + '\n' + value +'\n')
tsvfile.close()
else:
tsvfile =open(tsvname, 'a')
tsvfile.write(value + '\n')
tsvfile.close()

Main

########################

Set alternative location of mib sources and loads mibs

mibsource = '<pysnmpMibDir>/mib'
mibBuilder = builder.MibBuilder()
mibPath = mibBuilder.getMibSources() + (builder.DirMibSource(mibsource),)
mibBuilder.setMibSources(*mibPath)
mibBuilder.loadModules('MSFT-MIB','WINDOWS-NT-PERFORMANCE','SNMPv2-TC','RFC1213-MIB','RFC1155-SMI','RFC1158-MIB','RFC1354-MIB','MSFT-MIB','WINS-MIB','InternetServer-MIB','HTTPSERVER-MIB')

agentname = ''
params = ''
targetname = ''
communitystr = ''
targetadd = ''
targetport = 161
lstoid = ['1.3.6.1.4.1.311.1.7.3.1.14.0',
'1.3.6.1.4.1.311.1.7.3.1.15.0',
'1.3.6.1.4.1.311.1.7.3.1.16.0',
'1.3.6.1.4.1.311.1.7.3.1.17.0',
'1.3.6.1.4.1.311.1.7.3.1.18.0',]
basepath = '<script path/python/snmp/>' # Where error and out put wil be placed
filename = '<somename>' # file will be a tsv with current data appended

gensnmbtsv(agentname, params, communitystr, targetadd, targetport, lstoid,basepath, filename)

sys.exit(0)

dwaddle
SplunkTrust
SplunkTrust

I don't have a good example, but yes it's fundamentally how you describe it - define a scripted input into Splunk that runs your script to do the various snmpget commands and format their output.

One thing to consider might be that Cisco has always been a little skimpy in their PIX/ASA MIBS. The stuff you're looking for might not be available via SNMP - but you could always resort to something like expect.

dwaddle
SplunkTrust
SplunkTrust

This is something that I'll try to look into when I have time.

0 Karma

splunker30039
Path Finder

I could need some pointers on how to do that, tbh. Thanks.

0 Karma
Get Updates on the Splunk Community!

New Splunk Observability innovations: Deeper visibility and smarter alerting to ...

You asked, we delivered. Splunk Observability Cloud has several new innovations giving you deeper visibility ...

Synthetic Monitoring: Not your Grandma’s Polyester! Tech Talk: DevOps Edition

Register today and join TekStream on Tuesday, February 28 at 11am PT/2pm ET for a demonstration of Splunk ...

Instrumenting Java Websocket Messaging

Instrumenting Java Websocket MessagingThis article is a code-based discussion of passing OpenTelemetry trace ...