Installed Wireshark, another great tool, and I do see SNMP data coming into the Splunk server, but don't see any SNMP messages leaving the server. I've set up trap notifications on the server's I'm monitoring and assuming those are the SNMP messages being received. Polling should be sending out messages? Searched in the Splunkd log (index=_internal sourcetype=splunkd snmp) and did find some messages.
I set up two trap receivers in Splunk as well. One with localhost as the trap destination, and the other with the IP I'm using to send the SNMP messages to.
03-17-2016 15:44:53.661 -0600 ERROR ExecProcessor - message from "python "C:\Program Files\Splunk\etc\apps\snmp_ta\bin\snmp.py"" Failed to register transport and run dispatcher: bind() for ('localhost', 162) failed: [Errno 10013] An attempt was made to access a socket in a way forbidden by its access permissions snmp_stanza:snmp://Kaleido-Trap
03-17-2016 15:24:32.816 -0600 ERROR ExecProcessor - message from "python "C:\Program Files\Splunk\etc\apps\snmp_ta\bin\snmp.py"" Failed to register transport and run dispatcher: bind() for (u'192.168.1.102', 162) failed: [Errno 10013] An attempt was made to access a socket in a way forbidden by its access permissions snmp_stanza:snmp://Archive-Trap
I've noticed all the trap messages are coming in on port 161. For windows servers I'm using the Microsoft SNMP service. For other devices I have I use whatever they provide. Will the SNMP Modular Input receive from port 161?
I didn't specify an MIB, just wanted to see if I could get any data into the Splunk database. I haven't been able to compile custom MIB's using python and get command not found when trying to make the egg.
How did you find out that the Symantec Endpoint Protection was blocking the UDP port?
... View more