I am looking for resources on how to poll e.g. Cisco ASA firewalls via snmp (snmpget) from Splunk. I would like to pull things like interface usage, RAM usage, CPU usage etc, anything that can be gathered via SNMP.
Is it something along the lines of scripting snmpgets, writing output into a file on the splunk server and then pulling the data out?
Does anyone have any good examples for this?
Check out this new add-on : http://splunk-base.splunk.com/apps/88686/snmp-modular-input
Here is a simple quick and dirty prototype of an snmp manager I've written using pysnmp.
from pysnmp.entity import engine, config
from pysnmp.carrier.asynsock.dgram import udp
from pysnmp.entity.rfc3413 import cmdgen
from pysnmp.smi import builder, view, error
from time import localtime, strftime
import sys, os
def cbFun(sendRequestHandle, errorIndication, errorStatus, errorIndex,varBinds, cbCtx):
cbCtx['errorIndication'] = errorIndication
cbCtx['errorStatus'] = errorStatus
cbCtx['varBinds'] = varBinds
return 1 # will countine if using bulk or next
def getoidval(agentname, params, communitystr, targetadd, targetport, targetoid):
snmpEngine = engine.SnmpEngine()
#transport and snmpv2 setup
config.addV1System(snmpEngine, agentname, communitystr)
config.addTargetParams(snmpEngine, params, agentname, 'noAuthNoPriv', 1)
config.addTargetAddr( snmpEngine, targetname, config.snmpUDPDomain,(targetadd, targetport), params)
config.addSocketTransport(snmpEngine,config.snmpUDPDomain,udp.UdpSocketTransport().openClientMode())
#test = cmdgen.NextCommandGenerator().sendReq(snmpEngine, targetname, ((targetoid, None),), cbFun)
cbCtx = {}
cmdgen.GetCommandGenerator().sendReq(snmpEngine, targetname, ((targetoid, None),), cbFun, cbCtx)
snmpEngine.transportDispatcher.runDispatcher()
return cbCtx
def gensnmbtsv(agentname, params, communitystr, targetadd, targetport, lstoid,basepath, filename):
mibView = view.MibViewController(mibBuilder)
lstreturn = []
localdate = strftime("_%Y-%m%d", localtime())
timestamp = strftime("%Y-%m-%d\t%H:%M\t",localtime())
header = 'date time\t'
value = timestamp
tsvname = basepath + filename + localdate + '.tsv'
errname= basepath + filename + 'Err.log'
for targetoid in lstoid:
dictoidval = {}
returnoid = getoidval(agentname, params, communitystr, targetadd, targetport, targetoid)
if returnoid['errorIndication']:
errfile = open(errname, 'a')
errfile.write(timestamp+str(returnoid['errorIndication']) + '\n')
print str(returnoid['errorIndication'])
errfile.close()
sys.exit(12)
elif returnoid['errorStatus']:
errfile = open(errname, 'a')
errfile.write(timestamp+str(returnoid['errorStatus']) + '\n')
print str(returnoid['errorStatus'])
errfile.close()
sys.exit(12)
else:
try:
oid, labels, suffix = mibView.getNodeName(returnoid['varBinds'][0][0])
dictoidval[labels[-1]] = str(returnoid['varBinds'][0][1])
lstreturn.append(dictoidval)
except:
print 'Unable to find label associated with oid. Make sure you have loaded all necessary .py MIB definitions. This can done by using builder.MibBuilder().loadModules.'
sys.exit(12)
for i in range(len(lstreturn)):
header += lstreturn[i].keys()[0] + '\t'
value += lstreturn[i].values()[0] + '\t'
tsvfile = basepath + filename + localdate
if not (os.path.exists(tsvname)):
tsvfile =open(tsvname, 'w')
tsvfile.write(header.lower() + '\n' + value +'\n')
tsvfile.close()
else:
tsvfile =open(tsvname, 'a')
tsvfile.write(value + '\n')
tsvfile.close()
mibsource = '<pysnmpMibDir>/mib'
mibBuilder = builder.MibBuilder()
mibPath = mibBuilder.getMibSources() + (builder.DirMibSource(mibsource),)
mibBuilder.setMibSources(*mibPath)
mibBuilder.loadModules('MSFT-MIB','WINDOWS-NT-PERFORMANCE','SNMPv2-TC','RFC1213-MIB','RFC1155-SMI','RFC1158-MIB','RFC1354-MIB','MSFT-MIB','WINS-MIB','InternetServer-MIB','HTTPSERVER-MIB')
agentname = ''
params = ''
targetname = ''
communitystr = ''
targetadd = ''
targetport = 161
lstoid = ['1.3.6.1.4.1.311.1.7.3.1.14.0',
'1.3.6.1.4.1.311.1.7.3.1.15.0',
'1.3.6.1.4.1.311.1.7.3.1.16.0',
'1.3.6.1.4.1.311.1.7.3.1.17.0',
'1.3.6.1.4.1.311.1.7.3.1.18.0',]
basepath = '<script path/python/snmp/>' # Where error and out put wil be placed
filename = '<somename>' # file will be a tsv with current data appended
gensnmbtsv(agentname, params, communitystr, targetadd, targetport, lstoid,basepath, filename)
sys.exit(0)
I don't have a good example, but yes it's fundamentally how you describe it - define a scripted input into Splunk that runs your script to do the various snmpget
commands and format their output.
One thing to consider might be that Cisco has always been a little skimpy in their PIX/ASA MIBS. The stuff you're looking for might not be available via SNMP - but you could always resort to something like expect.
This is something that I'll try to look into when I have time.
I could need some pointers on how to do that, tbh. Thanks.