Send SNMP events to Splunk
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Contents
Send SNMP events to Splunk
This topic covers ways to receive and index SNMP traps at the Splunk indexer. SNMP traps are alerts fired off by remote devices; these devices need to be configured to send their traps to Splunk's IP address. The default port for SNMP traps is udp:162. This topic does not cover SNMP polling, which is a way to query remote devices.
On UNIX
The most effective way to index SNMP traps is to use snmptrapd to write them to a file. Then, configure the Splunk server to add the file as an input.
snmptrapd itself is part of the net-snmp project. If you're installing this on your system, refer first to any local documentation for your distribution's packaging of the tool, and after that, the documentation here: http://net-snmp.sourceforge.net/docs/man/snmptrapd.html
The simplest configuration is:
# snmptrapd -Lf /var/log/snmp-traps
Note: Previously, snmptrapd would accept all incoming notifications, and log them automatically (even if no explicit configuration was provided). Starting with snmptrapd release 5.3 (check with snmptrapd --version), access control checks will be applied to all incoming notifications. If snmptrapd is run without suitable access control settings, then such traps WILL NOT be processed. You can avoid this by specifying:
# snmptrapd -Lf /var/log/snmp-traps --disableAuthorization=yes
Troubleshooting:
- If you keep the default listening port of 161, which is a privileged port, you will have to run snmptrapd as root.
- Use the -f flag to keep snmptrapd in the foreground while testing. Use -Lo instead of -Lf to log to standard output
- You can use the snmptrap command to generate an example trap, as in: # snmptrap -v2c -c public localhost 1 1
On Windows
To log SNMP traps to a file on Windows:
1. Install NET-SNMP from http://www.net-snmp.org/
2. Register snmptrapd as service using the script included in the NET-SNMP install.
3. Edit C:\usr\etc\snmp\snmptrapd.conf
snmpTrapdAddr [System IP]:162 authCommunity log [community string]
4. The default log location is C:\usr\log\snmptrapd.log
MIBs
MIBs, or Management Information Bases, provide a map between numeric OIDs reported by the SNMP trap and a textual human readable form. Though snmptrapd will work quite happily without any MIB files at all, the results won't be displayed in quite the same way. The vendor of the device you are receiving traps from should provide a specific MIB. For example, all Cisco device MIBs can be located using the online Cisco SNMP Object Navigator
There are two steps required to add a new MIB file:
1. Download and copy the MIB file into the MIB search directory. The default location is /usr/local/share/snmp/mibs, although this can be set using the -M flag to snmptrapd.
2. Instruct snmptrapd to load the MIB or MIBs by passing a colon separated list to the -m flag. There are two important details here:
- Adding a leading '+' character will load the MIB in addition to the default list, instead of overwriting the list; and
- The special keyword ALL is used to load all MIB modules in the MIB directory. The safest argument seems to be -m +ALL
This documentation applies to the following versions of Splunk: 4.1 , 4.1.1 , 4.1.2 , 4.1.3 , 4.1.4 , 4.1.5 , 4.1.6 , 4.1.7 , 4.1.8 View the Article History for its revisions.
The option --disableAuthorization=yes can be replaced with an entry in the snmptrapd.conf file:
disableAuthorization yes
Not recommended for production but very handy for testing.