Ingest SNMP traps into ITSI
Ingest SNMP traps into Splunk Enterprise and feed them into ITSI for easy review and correlation. After you configure Splunk Enterprise and ITSI to receive and process SNMP traps, enable the default correlation search and aggregation policy to view and triage the traps in Episode Review.
Prerequisite
Requirement | Description |
---|---|
ITSI role | You must have the write_itsi_correlation_search capability to ingest SNMP traps into ITSI. The itoa_admin and itoa_team_admin ITSI roles have this capabilities by default. |
Step 1: Install and configure snmptrapd
- To ingest SNMP traps in ITSI, you must install and configure
snmptrapd
, an application that receives and logs SNMP TRAP and INFORM messages and resolves them using vendor Management Information Bases (MIBs). Before you installsnmptrapd
on your system, see SNMPTRAPD manual page. - To configure the logging format, open
snmptrapd.conf
and add the following stanza:
# snmptrapd formatting #http://www.net-snmp.org/wiki/index.php/TUT:Configuring_snmptrapd_to_parse_MIBS _from_3rd_party_Vendors # SNMPV1 format1 Agent_Address = %A\nAgent_IP = %b\nAgent_Hostname = %B\nDate = %#y-%#02.2m-%#02.2l %#02.2h:%#02.2j:%#02.2k\nEnterprise_OID = %N\nTrap_Type = %w\nTrap_SubType = %q\nCommunity_Infosec_Context = %P\nUptime = %T\nDescription = %W\nPDU_Attribute_Value_Pair_Array:\n%V\n%v\n---\n # SNMPV2 format2 Agent_Address = %A\nAgent_IP = %b\nAgent_Hostname = %B\nDate = %#y-%#02.2m-%#02.2l %#02.2h:%#02.2j:%#02.2k\nEnterprise_OID = %N\nTrap_Type = %w\nTrap_SubType = %q\nCommunity_Infosec_Context = %P\nUptime = %T\nDescription = %W\nPDU_Attribute_Value_Pair_Array:\n%V\n%v\n---\n
Step 2: Send SNMP events to your Splunk deployment
For instructions on getting SNMP events into your Splunk deployment, see Send SNMP events to your Splunk deployment in the Splunk Enterprise Getting Data In manual.
Step 3: Configure the snmptrapd index
After you install and configure snmptrapd
, you need to tell Splunk software and ITSI where to find the SNMP data and how to parse it. Use the following ITSI configuration files to instruct Splunk software to monitor the file that snmptrapd
is writing to, and to parse and extract the key-value pairs that make up important information contained in the traps.
Where you deploy these configurations depends on the type of Splunk deployment you have. For more information, see Where to install IT Service Intelligence in a distributed environment.
inputs.conf
Add the following stanza to the local version of inputs.conf
:
[monitor:///var/log/snmptrapd.log] disabled = false index = snmptrapd sourcetype = snmptrapd
This stanza tells your Splunk instance where to look for your data. Deploy this configuration on forwarders or Splunk instances co-located with snmptrapd
.
props.conf
Add the following stanza to the local version of props.conf
:
[snmptrapd] DATETIME_CONFIG = KV_MODE = none LINE_BREAKER = ([\r\n]+)Agent_Address\s= MAX_TIMESTAMP_LOOKAHEAD = 30 NO_BINARY_CHECK = true SHOULD_LINEMERGE = false TIME_FORMAT = %Y-%m-%d %H:%M:%S TIME_PREFIX = Date\s=\s TZ = UTC category = Custom description = parse snmptrapd logging with custom kvpair splunk formatting disabled = false pulldown_type = true EXTRACT-node = ^[^\[\n]*\[(?P<node>[^\]]+) REPORT-snmptrapd = snmptrapd_kv
This stanza sets line-breaking rules and extracts the timestamp. In this case, the timestamp is the time that the snmptrapd
server received the trap. This stanza also ensures that Splunk knows how to parse the time format.
Deploy this configuration to your heavy forwarder, indexer, and search heads.
transforms.conf
Add the following stanza to the local version of transforms.conf
:
[snmptrapd_kv] DELIMS = "\n","="
This stanza extracts all key-value pairs in the SNMP trap. Deploy this configuration to your heavy forwarder, indexer, and/or search heads.
default.meta.conf
Add the following stanza to the local version of default.meta.conf
:
[] access = read : [ * ], write : [ admin ] export = system
This stanza includes a local.meta.conf
file in the ITSI application that exports permissions to the system. Deploy this configuration on your search heads.
Step 5: Enable the SNMP correlation search and aggregation policy
ITSI provides the following default correlation search and aggregation policy for processing SNMP traps:
- SNMP Traps
- A default correlation search that generates a notable event for each SNMP trap received through Splunk.
- Default SNMP Policy
- A default notable event aggregation policy that aggregates individual SNMP trap events into episodes in Episode Review.
- To enable the correlation search, click Configuration > Correlation Searches and enable the SNMP Traps search in the Status column.
- To enable the aggregation policy, click Configuration > Notable Event Aggregation Policies and enable the Default SNMP Policy in the Status column.
Normalize alerts with correlation search templates in ITSI | Normalize event fields in ITSI |
This documentation applies to the following versions of Splunk® IT Service Intelligence: 4.11.0, 4.11.1, 4.11.2, 4.11.3, 4.11.4, 4.11.5, 4.11.6, 4.12.0 Cloud only, 4.12.1 Cloud only, 4.12.2 Cloud only, 4.13.0, 4.13.1, 4.13.2, 4.13.3, 4.14.0 Cloud only, 4.14.1 Cloud only, 4.14.2 Cloud only, 4.15.0, 4.15.1, 4.15.2, 4.15.3, 4.16.0 Cloud only, 4.17.0, 4.17.1, 4.18.0, 4.18.1, 4.19.0, 4.19.1
Feedback submitted, thanks!