All Apps and Add-ons

SNMP Modular Input: Why are SNMP traps not being translated properly with vendor a MIB into proper key-value pairs?

davidpridgen
Engager

I have been trying to translate incoming traps using snmp_ta with a vendor mib and it doesn't appear that the translation is working properly, I am getting the proper names from the mib, but the values aren't being collapsed into proper field=value strings. I am getting the following... in splunk.

notification_from_address = "10.134.32.241" notification_from_port = "60716" SNMPv2-MIB::sysUpTime.0 = _BindValue: value=ObjectSyntax: application-wide=ApplicationSyntax: timeticks-value=0 SNMPv2-MIB::snmpTrapOID.0 = _BindValue: value=ObjectSyntax: simple=SimpleSyntax: objectID-value=1.3.6.1.4.1.2.6.245.1.26543.6.2.44 IBMTROYDATABASESYSTEM-MIB::itdbTrapType. = _BindValue().setComponentByPosition(0, ObjectSyntax().setComponentByPosition(0, SimpleSyntax().setComponentByPosition(1, OctetString('Top of Rack Switch')))) IBMTROYDATABASESYSTEM-MIB::itdbTrapSeverity. = _BindValue().setComponentByPosition(0, ObjectSyntax().setComponentByPosition(0, SimpleSyntax().setComponentByPosition(1, OctetString('Warning')))) IBMTROYDATABASESYSTEM-MIB::itdbTrapDateTime. = _BindValue().setComponentByPosition(0, ObjectSyntax().setComponentByPosition(0, SimpleSyntax().setComponentByPosition(1, OctetString('Wed, 15 Oct 2014 18:09:12 UTC')))) IBMTROYDATABASESYSTEM-MIB::itdbComponent. = _BindValue().setComponentByPosition(0, ObjectSyntax().setComponentByPosition(0, SimpleSyntax().setComponentByPosition(1, OctetString('switches Rack: 8739/1000186 Chassis: 0 Bay: 0')))) IBMTROYDATABASESYSTEM-MIB::itdbTrapText. = _BindValue().setComponentByPosition(0, ObjectSyntax().setComponentByPosition(0, SimpleSyntax().setComponentByPosition(1, OctetString('STG 71, topology change detected')))) IBMTROYDATABASESYSTEM-MIB::itdbTrapCategory. = _BindValue().setComponentByPosition(0, ObjectSyntax().setComponentByPosition(0, SimpleSyntax().setComponentByPosition(1, OctetString('CustomerServiceable')))) IBMTROYDATABASESYSTEM-MIB::itdbTrapTypeDetail. = _BindValue().setComponentByPosition(0, ObjectSyntax().setComponentByPosition(0, SimpleSyntax().setComponentByPosition(1, OctetString('Top of Rack Switch')))) IBMTROYDATABASESYSTEM-MIB::itdbTrapObjectDetail. = _BindValue().setComponentByPosition(0, ObjectSyntax().setComponentByPosition(0, SimpleSyntax().setComponentByPosition(1, OctetString('SN#Y250JH28X055 : fd8c:215d:178e:c0de:7699:75ff:fe1f:ee00')))) IBMTROYDATABASESYSTEM-MIB::itdbTrapComponentType. = _BindValue: value=ObjectSyntax: simple=SimpleSyntax: string-value=1 SNMPv2-MIB::sysName. = _BindValue().setComponentByPosition(0, ObjectSyntax().setComponentByPosition(0, SimpleSyntax().setComponentByPosition(1, OctetString('DB2 PDTX (DevInt, DevTest, DTQA and UAT)')))) SNMPv2-MIB::sysLocation. = _BindValue().setComponentByPosition(0, ObjectSyntax().setComponentByPosition(0, SimpleSyntax().setComponentByPosition(1, OctetString('Mindshift Datacenter Commack, NY')))) SNMPv2-MIB::sysContact. = _BindValue().setComponentByPosition(0, ObjectSyntax().setComponentByPosition(0, SimpleSyntax().setComponentByPosition(1, OctetString('xxxx xxxxxl'))))

Through the use of some very creative regex in transforms.conf I can extract most of the field values, but it is becoming very difficult to manage as I add more traps.
,I have been trying to get the snmp_ta module to work with some vendor mibs and while I have been able to get the mibs compiled into .py format, it doesn't appear that it is working properly as I am ending up with the following in splunk:

notification_from_address = "10.134.32.241" notification_from_port = "60716" SNMPv2-MIB::sysUpTime.0 = _BindValue: value=ObjectSyntax: application-wide=ApplicationSyntax: timeticks-value=0 SNMPv2-MIB::snmpTrapOID.0 = _BindValue: value=ObjectSyntax: simple=SimpleSyntax: objectID-value=1.3.6.1.4.1.2.6.245.1.26543.6.2.44 IBMTROYDATABASESYSTEM-MIB::itdbTrapType. = _BindValue().setComponentByPosition(0, ObjectSyntax().setComponentByPosition(0, SimpleSyntax().setComponentByPosition(1, OctetString('Top of Rack Switch')))) IBMTROYDATABASESYSTEM-MIB::itdbTrapSeverity. = _BindValue().setComponentByPosition(0, ObjectSyntax().setComponentByPosition(0, SimpleSyntax().setComponentByPosition(1, OctetString('Warning')))) IBMTROYDATABASESYSTEM-MIB::itdbTrapDateTime. = _BindValue().setComponentByPosition(0, ObjectSyntax().setComponentByPosition(0, SimpleSyntax().setComponentByPosition(1, OctetString('Wed, 15 Oct 2014 18:09:12 UTC')))) IBMTROYDATABASESYSTEM-MIB::itdbComponent. = _BindValue().setComponentByPosition(0, ObjectSyntax().setComponentByPosition(0, SimpleSyntax().setComponentByPosition(1, OctetString('switches Rack: 8739/1000186 Chassis: 0 Bay: 0')))) IBMTROYDATABASESYSTEM-MIB::itdbTrapText. = _BindValue().setComponentByPosition(0, ObjectSyntax().setComponentByPosition(0, SimpleSyntax().setComponentByPosition(1, OctetString('STG 71, topology change detected')))) IBMTROYDATABASESYSTEM-MIB::itdbTrapCategory. = _BindValue().setComponentByPosition(0, ObjectSyntax().setComponentByPosition(0, SimpleSyntax().setComponentByPosition(1, OctetString('CustomerServiceable')))) IBMTROYDATABASESYSTEM-MIB::itdbTrapTypeDetail. = _BindValue().setComponentByPosition(0, ObjectSyntax().setComponentByPosition(0, SimpleSyntax().setComponentByPosition(1, OctetString('Top of Rack Switch')))) IBMTROYDATABASESYSTEM-MIB::itdbTrapObjectDetail. = _BindValue().setComponentByPosition(0, ObjectSyntax().setComponentByPosition(0, SimpleSyntax().setComponentByPosition(1, OctetString('SN#Y250JH28X055 : fd8c:215d:178e:c0de:7699:75ff:fe1f:ee00')))) IBMTROYDATABASESYSTEM-MIB::itdbTrapComponentType. = _BindValue: value=ObjectSyntax: simple=SimpleSyntax: string-value=1 SNMPv2-MIB::sysName. = _BindValue().setComponentByPosition(0, ObjectSyntax().setComponentByPosition(0, SimpleSyntax().setComponentByPosition(1, OctetString('DB2 PDTX (DevInt, DevTest, DTQA and UAT)')))) SNMPv2-MIB::sysLocation. = _BindValue().setComponentByPosition(0, ObjectSyntax().setComponentByPosition(0, SimpleSyntax().setComponentByPosition(1, OctetString('Mindshift Datacenter Commack, NY')))) SNMPv2-MIB::sysContact. = _BindValue().setComponentByPosition(0, ObjectSyntax().setComponentByPosition(0, SimpleSyntax().setComponentByPosition(1, OctetString('Brian Furnell'))))

I have been able to extract field values with some very creative regex in the transforms.conf, however I would prefer to have the data come in in proper fieldname=value format

Tags (1)

ianmurfy
New Member

Hi David,

I know this is a very old thread but just wondering did you ever resolve this issue? I'm experiencing the same problem.

I've converted all my MIBs to .py and have them in the mibs directory in the app. I've also called the MIBs out in the inputs.conf but even when I send a simple SNMP(SNMPv2-MIB) trap I get "_BindValue: value=ObjectSyntax" for every value. It does convert the OID value to text correctly but just not getting the associated value.

I guess I'll have to figure out the responsehandlers.py handler to find out more details as per Damiens suggestion above.

Thanks,

Ian

0 Karma

pkarpushin
Path Finder

Hi

This output you get in splunk is the result of processing snmp traps by DefaultResponseHandler in responsehandlers.py. It does not process traps properly, especially can't handle OID value to produce human readable appearance.

Below is my hustom responsehadler which gives slightly better results in splunk.

class TRAP_ONLY_HANDLER:

    def __init__(self,**args):
        pass

    def __call__(self, response_object,destination,table=False,from_trap=False,trap_metadata=None,split_bulk_output=False,mibView=None):        
        splunkevent =""

        #handle traps
        if from_trap:
            for oid, val in response_object:
                try:
                    (symName, modName), indices = mibvar.oidToMibName(mibView, oid)                 
                    splunkevent +='%s::%s.%s' % (modName, symName,'.'.join([ v.prettyPrint() for v in indices]))      
                except: # catch *all* exceptions
                    e = sys.exc_info()[1]
                    logging.error("Exception resolving MIB name in the caught trap: %s" % str(e))
                    splunkevent +='%s =  ' % (oid)
                # Changed part
                try:
                    str_val = val.prettyPrint()
            # Get value format (group1) and value (group2) 
                    val_matches = re.search(r'_.+:\s+.+:\s+.+:\s+(.+)=(.+)',str_val)
                    # valName (format) probably should be vanished
            valName = val_matches.group(1)
                    valVal = val_matches.group(2)
                    splunkevent +='(%s) = "%s" ' % (valName, valVal)
                except:
                    splunkevent +='[still not working] val=[%s] ' % (val.prettyPrint()) 
            splunkevent = trap_metadata + splunkevent       
            print_xml_single_instance_mode(destination, splunkevent)

You should have good knowledge of pysnmp to write proper responsehandler. I hope developers will make one someday.

0 Karma

Damien_Dallimor
Ultra Champion

That is just the default output format. The good thing is that the SNMP Modular Input allows you to plug in your own custom response handler so that you can preprocess the raw trap response and format it how you wish for Splunk indexing.

To do this you just add a hander to responsehandlers.py and then declare the handler name in you SNMP stanza setup.

You can see some example custom handlers here .The DefaultResponseHandler has some trap formatting code you could go off as a starting point.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...