All Apps and Add-ons

SNMP Modular input : unable to get snmp traps

splunker12er
Motivator
  • Configured Cisco router to send traps to my Splunk, via port 162;
  • Installed SNMP add-on;
  • Downloaded SNMPv2-SMI,SNMPv2-TC,IANAifType-MIB,RFC1213-MIB,SNMPv2-MIB,SNMPv2-CONF,IF-MIB MIBs from Ciscowebsite and converted them to Python files by 'build-pysnmp-mib'- (Eg : SNMPv2-CONF.py,IF-MIB.py) Does this fine or needed compiled code ?
  • Moved the .py files to $SPLUNK_ROOT/etc/apps/snmp_ta/bin/mibs/ directory;
  • Created and configured a new SNMPinput. (inputs.conf)

    [snmp://read_snmp]
    do_bulk_get = 0
    host = 10.0.255.46
    listen_traps = 1
    ipv6 = 0
    snmp_mode = traps
    snmp_version = 2C
    sourcetype = read_snmp
    split_bulk_output = 0
    trap_host = 10.0.255.247
    trap_port = 162
    v3_authProtocol = usmHMACMD5AuthProtocol
    v3_privProtocol = usmDESPrivProtocol
    mib_names = SNMPv2-SMI,SNMPv2-TC,IANAifType-MIB,RFC1213-MIB,SNMPv2-MIB,SNMPv2-CONF,IF-MIB

Corrections made with splunk answers help :

  • Corrected the host name(localhost) to proper Ip address of the splunk host , as i set in the cisco router.
  • Updated the conf file with listen_traps = 1
  • Checked for errors with query : "index=_internal ExecProcessor error snmp.py"

Results: (from this error - should i need to correct something ? please advise !)

10.0.255.103 - admin [23/Oct/2014:14:37:56.321 +0000] "GET /en-US/api/shelper?snippet=true&snippetEmbedJS=false&namespace=search&search=search+index%3D_internal+ExecProcessor+error+snmp.py+&useTypeahead=true&useAssistant=true&showCommandHelp=true&showCommandHistory=true&showFieldInfo=false&_=1414075022892 HTTP/1.1" 200 748 "http://10.0.255.247:8000/en-US/app/search/search?q=search%20index%3D*%20host%3D%2210.0.255.46%22&earliest=&latest=&sid=1414075069.31" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.124 Safari/537.36" - 544912c4527fa79c57c0d0 130ms

10.0.255.103 - admin [23/Oct/2014:14:12:39.735 +0000] "GET /en-US/api/shelper?snippet=true&snippetEmbedJS=false&namespace=search&search=search+index%3D_internal+ExecProcessor+error+snmp.py+&useTypeahead=true&useAssistant=true&showCommandHelp=true&showCommandHistory=true&showFieldInfo=false&_=1414070887398 HTTP/1.1" 200 750 "http://10.0.255.247:8000/en-US/app/search/search?q=search%20index%20%3D*%20host%3D%2210.0.255.46%22&earliest=&latest=&sid=1414073547.86" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.124 Safari/537.36" - 54490cd7bc7f539012ba50 262ms

Still I could see any traps in search app 😞
Does any other thing to setup ?

Please help.

0 Karma

krusty
Contributor

Hi there,

today I installed the SPLUNK SNMP APP on our indexer/searchhead.
After I had restarted the splunk service I configured a stanza in inputs.conf to collect SNMP traps.

[snmp://TEST_EVENT]
communitystring = public
do_bulk_get = 0
do_get_subtree = 0
index = test
ipv6 = 0
snmp_mode = traps
snmp_version = 1
sourcetype = snmp
split_bulk_output = 0
trap_rdns = 1
v3_authProtocol = usmHMACMD5AuthProtocol
v3_privProtocol = usmDESPrivProtocol
trap_host = SERVERNAME
trap_port = 162

Behind that I configured a server to send traps to the Splunk SH/Indexer.

I checked the splunkd.log and found the following ERROR message.

01-15-2015 08:46:55.054 +0100 ERROR ExecProcessor - message from "python /splunk/opt/splunk/etc/apps/snmp_ta/bin/snmp.py" Failed to register transport and run dispatcher: bind() for (u'SERVERNAME', 162) failed: [Errno 98] Address already in use snmp_stanza:snmp://TEST_EVENT

I tried differnet trap_host definitions (SERVERNAME, IP address, SERVERNAME.domain). But nothing works.

Does anybody have had the same problems?
Could the problem occurs because of running snmptrapd and snmptt on the server?

snmp     14758     1  0 Jan14 ?        00:00:22 /usr/sbin/snmpd -Lsd -Lf /dev/null -u snmp -g snmp -I -smux mteTrigger mteTriggerConf -p /var/run/snmpd.pid
snmptt   14760     1  0 Jan14 ?        00:00:01 /usr/sbin/snmptrapd -Lsd -Lf /var/log/snmptt/snmptt.log -On -C -c /etc/snmp/snmptrapd.conf -p /var/run/snmptrapd.pid -u snmptt
root     17440     1  0 Jan14 ?        00:00:00 /usr/bin/perl /usr/sbin/snmptt --daemon
snmptt   17441 17440  0 Jan14 ?        00:00:05 /usr/bin/perl /usr/sbin/snmptt --daemon

I did this because my first try was to collect all the traps in a dedicated file and then read the file from splunk process.

It would be very nice if someone can help me and explain where the problem is.

0 Karma

krusty
Contributor

Me again,

I still have found out my mistake. As I said in my answer, I had to stop the snmptrapd process and now I see data in splunk.
But until I saw data in splunk search I have a problem with my custom MIB.
In the splunkd.log I got this error message:

01-15-2015 12:32:31.802 +0100 ERROR ExecProcessor - message from "python /splunk/opt/splunk/etc/apps/snmp_ta/bin/snmp.py" pysnmp.smi.error.SmiError: MIB module "/splunk/opt/splunk/etc/apps/snmp_ta/bin/mibs/SAATRAP.py" load error: ['Traceback (most recent call last):\n', '  File "/splunk/opt/splunk/etc/apps/snmp_ta/bin/pysnmp-4.2.5-py2.7.egg/pysnmp/smi/builder.py", line 255, in loadModules\n    exec(modData, g)\n', '  File "<string>", line 7, in <module>\n', '  File "/splunk/opt/splunk/etc/apps/snmp_ta/bin/pysnmp-4.2.5-py2.7.egg/pysnmp/smi/builder.py", line 294, in importSymbols\n    \'importSymbols: empty MIB module name\'\n', 'SmiError: importSymbols: empty MIB module name\n']

Is there a way to check my py file?
Is there another logfile where I can find some more Information?

Thanks.

0 Karma

nikkkc
Path Finder

I have nearly the same Errors:

01-05-2016 15:07:46.072 +0100 ERROR ExecProcessor - message from "python E:\Splunk\etc\apps\snmp_ta\bin\snmp.py" pysnmp.smi.error.SmiError: MIB module "E:\Splunk\etc\apps\snmp_ta\bin\mibs\CISCO-LWAPP-AP-MIB.py" load error: ['Traceback (most recent call last):\n', ' File "E:\\Splunk\\etc\\apps\\snmp_ta\\bin\\pysnmp-4.2.5-py2.7.egg\\pysnmp\\smi\\builder.py", line 255, in loadModules\n exec(modData, g)\n', ' File "<string>", line 10, in <module>\n', ' File "E:\\Splunk\\etc\\apps\\snmp_ta\\bin\\pysnmp-4.2.5-py2.7.egg\\pysnmp\\smi\\builder.py", line 306, in importSymbols\n \'No symbol %s::%s at %s\' % (modName, symName, self)\n', 'SmiError: No symbol CISCO-LWAPP-DOT11-MIB::cldRegulatoryDomain at <pysnmp.smi.builder.MibBuilder instance at 0x0000002099F4F5C8>\n']

did you solve your problem?

0 Karma

splunker12er
Motivator

Thanks Damien

0 Karma

splunker12er
Motivator

Yes. It actually works good. Prev , no traps were generated by the cisco , once I shutdown and on the IF , it sends some traps.

Thanks,

By the way , Can i set the inputs.conf in my heavy forwarder and forward the logs from the device to the forwarder-ip ? I don't want my search head to do this receiving job.

0 Karma

Damien_Dallimor
Ultra Champion

Yes , using a forwarder (heavy or universal) would be the recommended approach.

0 Karma

Damien_Dallimor
Ultra Champion

Can you confirm that port 162 is getting opened and listening ?

Try hostname rather than IP for binding ?

Can you see the actual traps being sent on the wire to the expected port/interface ? (ie: using wireshark)

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...