Getting Data In

snmpget, snmptrap - Splunk and SNMP polling

splunker30039
Path Finder

I am looking for resources on how to poll e.g. Cisco ASA firewalls via snmp (snmpget) from Splunk. I would like to pull things like interface usage, RAM usage, CPU usage etc, anything that can be gathered via SNMP.

Is it something along the lines of scripting snmpgets, writing output into a file on the splunk server and then pulling the data out?

Does anyone have any good examples for this?

Damien_Dallimor
Ultra Champion

bmacias84
Champion

Here is a simple quick and dirty prototype of an snmp manager I've written using pysnmp.


from pysnmp.entity import engine, config
from pysnmp.carrier.asynsock.dgram import udp
from pysnmp.entity.rfc3413 import cmdgen
from pysnmp.smi import builder, view, error
from time import localtime, strftime
import sys, os

parses response from getoidval

def cbFun(sendRequestHandle, errorIndication, errorStatus, errorIndex,varBinds, cbCtx):
cbCtx['errorIndication'] = errorIndication
cbCtx['errorStatus'] = errorStatus
cbCtx['varBinds'] = varBinds
return 1 # will countine if using bulk or next

gets oid and value

def getoidval(agentname, params, communitystr, targetadd, targetport, targetoid):
snmpEngine = engine.SnmpEngine()
#transport and snmpv2 setup
config.addV1System(snmpEngine, agentname, communitystr)
config.addTargetParams(snmpEngine, params, agentname, 'noAuthNoPriv', 1)
config.addTargetAddr( snmpEngine, targetname, config.snmpUDPDomain,(targetadd, targetport), params)
config.addSocketTransport(snmpEngine,config.snmpUDPDomain,udp.UdpSocketTransport().openClientMode())

#test = cmdgen.NextCommandGenerator().sendReq(snmpEngine, targetname, ((targetoid, None),), cbFun)
cbCtx = {}
cmdgen.GetCommandGenerator().sendReq(snmpEngine, targetname, ((targetoid, None),), cbFun, cbCtx)

snmpEngine.transportDispatcher.runDispatcher()
return  cbCtx

generates tsv file for all oid give for target

def gensnmbtsv(agentname, params, communitystr, targetadd, targetport, lstoid,basepath, filename):
mibView = view.MibViewController(mibBuilder)
lstreturn = []
localdate = strftime("_%Y-%m%d", localtime())
timestamp = strftime("%Y-%m-%d\t%H:%M\t",localtime())
header = 'date time\t'
value = timestamp
tsvname = basepath + filename + localdate + '.tsv'
errname= basepath + filename + 'Err.log'
for targetoid in lstoid:

dictoidval = {}
returnoid = getoidval(agentname, params, communitystr, targetadd, targetport, targetoid)
if returnoid['errorIndication']:
errfile = open(errname, 'a')
errfile.write(timestamp+str(returnoid['errorIndication']) + '\n')
print str(returnoid['errorIndication'])
errfile.close()
sys.exit(12)
elif returnoid['errorStatus']:
errfile = open(errname, 'a')
errfile.write(timestamp+str(returnoid['errorStatus']) + '\n')
print str(returnoid['errorStatus'])
errfile.close()
sys.exit(12)
else:
try:
oid, labels, suffix = mibView.getNodeName(returnoid['varBinds'][0][0])
dictoidval[labels[-1]] = str(returnoid['varBinds'][0][1])
lstreturn.append(dictoidval)
except:
print 'Unable to find label associated with oid. Make sure you have loaded all necessary .py MIB definitions. This can done by using builder.MibBuilder().loadModules.'
sys.exit(12)
for i in range(len(lstreturn)):
header += lstreturn[i].keys()[0] + '\t'
value += lstreturn[i].values()[0] + '\t'
tsvfile = basepath + filename + localdate
if not (os.path.exists(tsvname)):
tsvfile =open(tsvname, 'w')
tsvfile.write(header.lower() + '\n' + value +'\n')
tsvfile.close()
else:
tsvfile =open(tsvname, 'a')
tsvfile.write(value + '\n')
tsvfile.close()

Main

########################

Set alternative location of mib sources and loads mibs

mibsource = '<pysnmpMibDir>/mib'
mibBuilder = builder.MibBuilder()
mibPath = mibBuilder.getMibSources() + (builder.DirMibSource(mibsource),)
mibBuilder.setMibSources(*mibPath)
mibBuilder.loadModules('MSFT-MIB','WINDOWS-NT-PERFORMANCE','SNMPv2-TC','RFC1213-MIB','RFC1155-SMI','RFC1158-MIB','RFC1354-MIB','MSFT-MIB','WINS-MIB','InternetServer-MIB','HTTPSERVER-MIB')

agentname = ''
params = ''
targetname = ''
communitystr = ''
targetadd = ''
targetport = 161
lstoid = ['1.3.6.1.4.1.311.1.7.3.1.14.0',
'1.3.6.1.4.1.311.1.7.3.1.15.0',
'1.3.6.1.4.1.311.1.7.3.1.16.0',
'1.3.6.1.4.1.311.1.7.3.1.17.0',
'1.3.6.1.4.1.311.1.7.3.1.18.0',]
basepath = '<script path/python/snmp/>' # Where error and out put wil be placed
filename = '<somename>' # file will be a tsv with current data appended

gensnmbtsv(agentname, params, communitystr, targetadd, targetport, lstoid,basepath, filename)

sys.exit(0)

dwaddle
SplunkTrust
SplunkTrust

I don't have a good example, but yes it's fundamentally how you describe it - define a scripted input into Splunk that runs your script to do the various snmpget commands and format their output.

One thing to consider might be that Cisco has always been a little skimpy in their PIX/ASA MIBS. The stuff you're looking for might not be available via SNMP - but you could always resort to something like expect.

dwaddle
SplunkTrust
SplunkTrust

This is something that I'll try to look into when I have time.

0 Karma

splunker30039
Path Finder

I could need some pointers on how to do that, tbh. Thanks.

0 Karma
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...