The env:
Win2k8r2
Splunk 6.1 Ent
SNMP Modular Input 1.2.4
The problem:
No traps are being indexed
The stanza
[snmp://iDRAC]
communitystring = public
do_bulk_get = 0
index = myindex
ipv6 = 0
snmp_mode = traps
snmp_version = 1
sourcetype = snmp_traps
split_bulk_output = 0
listen_traps = 1
trap_host = localhost
trap_port = 162
v3_authProtocol = usmHMACMD5AuthProtocol
v3_privProtocol = usmDESPrivProtocol
Note: the stanza was generated by splunk web. The dynamically generated entry did NOT contain "listen_traps = 1" which appeared to be needed according to the readme. So I added that line manually. The behavior was unchanged by this.
Steps taken:
I installed wireshark and verified that the trap was indeed making it to the box splunk runs on, and that it was coming on the correct port.
I tested with windows firewall enabled and disabled, which made no difference
I have a rule in windows firewall explicitly allowing UDP 162 for snmp traps
I ran netstat and verified that the host is listening on UDP 162
So, I can show the the trap is received by the host. I don't believe the firewall is interfering and testing with it disabled yielded the same results. I believe that leave either the snmp daemon that snmp_ta is using, some other misconfiguration on my part or something else on the host causing some sort of conflict.
Splunk is the only real utility running on the host, as that is its sole purpose. But I'm not 100% if there is anything native to Windows that could interfere with snmp handling.
Has anyone hit this? Any suggestions? Is there any other info that would be helpful?
... View more