Created and configured a new SNMPinput. (inputs.conf)
[snmp://read_snmp]
do_bulk_get = 0
host = 10.0.255.46
listen_traps = 1
ipv6 = 0
snmp_mode = traps
snmp_version = 2C
sourcetype = read_snmp
split_bulk_output = 0
trap_host = 10.0.255.247
trap_port = 162
v3_authProtocol = usmHMACMD5AuthProtocol
v3_privProtocol = usmDESPrivProtocol
mib_names = SNMPv2-SMI,SNMPv2-TC,IANAifType-MIB,RFC1213-MIB,SNMPv2-MIB,SNMPv2-CONF,IF-MIB
Corrections made with splunk answers help :
host name
(localhost) to proper Ip address of the splunk host , as i set in the cisco router.listen_traps = 1
Results: (from this error - should i need to correct something ? please advise !)
10.0.255.103 - admin [23/Oct/2014:14:37:56.321 +0000] "GET /en-US/api/shelper?snippet=true&snippetEmbedJS=false&namespace=search&search=search+index%3D_internal+ExecProcessor+error+snmp.py+&useTypeahead=true&useAssistant=true&showCommandHelp=true&showCommandHistory=true&showFieldInfo=false&_=1414075022892 HTTP/1.1" 200 748 "http://10.0.255.247:8000/en-US/app/search/search?q=search%20index%3D*%20host%3D%2210.0.255.46%22&earliest=&latest=&sid=1414075069.31" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.124 Safari/537.36" - 544912c4527fa79c57c0d0 130ms
10.0.255.103 - admin [23/Oct/2014:14:12:39.735 +0000] "GET /en-US/api/shelper?snippet=true&snippetEmbedJS=false&namespace=search&search=search+index%3D_internal+ExecProcessor+error+snmp.py+&useTypeahead=true&useAssistant=true&showCommandHelp=true&showCommandHistory=true&showFieldInfo=false&_=1414070887398 HTTP/1.1" 200 750 "http://10.0.255.247:8000/en-US/app/search/search?q=search%20index%20%3D*%20host%3D%2210.0.255.46%22&earliest=&latest=&sid=1414073547.86" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.124 Safari/537.36" - 54490cd7bc7f539012ba50 262ms
Still I could see any traps in search app 😞
Does any other thing to setup ?
Please help.
Hi there,
today I installed the SPLUNK SNMP APP on our indexer/searchhead.
After I had restarted the splunk service I configured a stanza in inputs.conf
to collect SNMP traps.
[snmp://TEST_EVENT]
communitystring = public
do_bulk_get = 0
do_get_subtree = 0
index = test
ipv6 = 0
snmp_mode = traps
snmp_version = 1
sourcetype = snmp
split_bulk_output = 0
trap_rdns = 1
v3_authProtocol = usmHMACMD5AuthProtocol
v3_privProtocol = usmDESPrivProtocol
trap_host = SERVERNAME
trap_port = 162
Behind that I configured a server to send traps to the Splunk SH/Indexer.
I checked the splunkd.log and found the following ERROR message.
01-15-2015 08:46:55.054 +0100 ERROR ExecProcessor - message from "python /splunk/opt/splunk/etc/apps/snmp_ta/bin/snmp.py" Failed to register transport and run dispatcher: bind() for (u'SERVERNAME', 162) failed: [Errno 98] Address already in use snmp_stanza:snmp://TEST_EVENT
I tried differnet trap_host
definitions (SERVERNAME, IP address, SERVERNAME.domain). But nothing works.
Does anybody have had the same problems?
Could the problem occurs because of running snmptrapd
and snmptt
on the server?
snmp 14758 1 0 Jan14 ? 00:00:22 /usr/sbin/snmpd -Lsd -Lf /dev/null -u snmp -g snmp -I -smux mteTrigger mteTriggerConf -p /var/run/snmpd.pid
snmptt 14760 1 0 Jan14 ? 00:00:01 /usr/sbin/snmptrapd -Lsd -Lf /var/log/snmptt/snmptt.log -On -C -c /etc/snmp/snmptrapd.conf -p /var/run/snmptrapd.pid -u snmptt
root 17440 1 0 Jan14 ? 00:00:00 /usr/bin/perl /usr/sbin/snmptt --daemon
snmptt 17441 17440 0 Jan14 ? 00:00:05 /usr/bin/perl /usr/sbin/snmptt --daemon
I did this because my first try was to collect all the traps in a dedicated file and then read the file from splunk process.
It would be very nice if someone can help me and explain where the problem is.
Me again,
I still have found out my mistake. As I said in my answer, I had to stop the snmptrapd process and now I see data in splunk.
But until I saw data in splunk search I have a problem with my custom MIB.
In the splunkd.log I got this error message:
01-15-2015 12:32:31.802 +0100 ERROR ExecProcessor - message from "python /splunk/opt/splunk/etc/apps/snmp_ta/bin/snmp.py" pysnmp.smi.error.SmiError: MIB module "/splunk/opt/splunk/etc/apps/snmp_ta/bin/mibs/SAATRAP.py" load error: ['Traceback (most recent call last):\n', ' File "/splunk/opt/splunk/etc/apps/snmp_ta/bin/pysnmp-4.2.5-py2.7.egg/pysnmp/smi/builder.py", line 255, in loadModules\n exec(modData, g)\n', ' File "<string>", line 7, in <module>\n', ' File "/splunk/opt/splunk/etc/apps/snmp_ta/bin/pysnmp-4.2.5-py2.7.egg/pysnmp/smi/builder.py", line 294, in importSymbols\n \'importSymbols: empty MIB module name\'\n', 'SmiError: importSymbols: empty MIB module name\n']
Is there a way to check my py file?
Is there another logfile where I can find some more Information?
Thanks.
I have nearly the same Errors:
01-05-2016 15:07:46.072 +0100 ERROR ExecProcessor - message from "python E:\Splunk\etc\apps\snmp_ta\bin\snmp.py" pysnmp.smi.error.SmiError: MIB module "E:\Splunk\etc\apps\snmp_ta\bin\mibs\CISCO-LWAPP-AP-MIB.py" load error: ['Traceback (most recent call last):\n', ' File "E:\\Splunk\\etc\\apps\\snmp_ta\\bin\\pysnmp-4.2.5-py2.7.egg\\pysnmp\\smi\\builder.py", line 255, in loadModules\n exec(modData, g)\n', ' File "<string>", line 10, in <module>\n', ' File "E:\\Splunk\\etc\\apps\\snmp_ta\\bin\\pysnmp-4.2.5-py2.7.egg\\pysnmp\\smi\\builder.py", line 306, in importSymbols\n \'No symbol %s::%s at %s\' % (modName, symName, self)\n', 'SmiError: No symbol CISCO-LWAPP-DOT11-MIB::cldRegulatoryDomain at <pysnmp.smi.builder.MibBuilder instance at 0x0000002099F4F5C8>\n']
did you solve your problem?
Thanks Damien
Yes. It actually works good. Prev , no traps were generated by the cisco , once I shutdown and on the IF , it sends some traps.
Thanks,
By the way , Can i set the inputs.conf
in my heavy forwarder and forward the logs from the device to the forwarder-ip ? I don't want my search head to do this receiving job.
Yes , using a forwarder (heavy or universal) would be the recommended approach.
Can you confirm that port 162 is getting opened and listening ?
Try hostname rather than IP for binding ?
Can you see the actual traps being sent on the wire to the expected port/interface ? (ie: using wireshark)