Getting Data In

 


Get network events

Send SNMP events to Splunk Enterprise

NOTE - Splunk version 4.x reached its End of Life on October 1, 2013. Please see the migration information.

Send SNMP events to Splunk Enterprise

Simple Network Management Protocol (SNMP) traps are alerts that remote devices send out. This topic describes how to receive and index SNMP traps at the Splunk Enterprise indexer.

Note: The procedures shown in this topic (for both *nix and Windows) are examples only. You can accomplish the task of sending SNMP traps to Splunk Enterprise in a number of ways. For example, instead of using Net-SNMP, you can use other tools, such as Snare or SNMPGate, to write SNMP traps to file storage for monitoring by Splunk Enterprise.

For information on how to use Splunk Enterprise as a monitoring tool to send SNMP alerts to other systems, such as a Network Management System console, see "Send SNMP traps to other systems" in the Alerting manual.

How to index SNMP traps

The most effective way to index SNMP traps is to first write them to a file on the Splunk Enterprise server. Then, configure Splunk Enterprise to monitor the file.

There are three steps:

1. Configure the remote devices to send their traps directly to the Splunk server's IP address. The default port for SNMP traps is udp:162.

2. Write the SNMP traps to a file on the Splunk server, as described later in this topic.

3. Configure Splunk Enterprise to monitor the file, as described in "Monitor files and directories".

Note: This topic does not cover SNMP polling, which is a way to query remote devices.

Write SNMP traps to a file on the Splunk server

For information about available SNMP software, visit the SNMP portal (http://www.snmplink.org) website.

For *nix

On *nix, you can use the Net-SNMP project snmptrapd binary to write SNMP traps to a file.

Before installing snmptrapd on your system, see the local documentation for the version of snmptrapd that comes with your distribution of *nix. See also the manual page for snmptrapd.

The simplest configuration is:

# snmptrapd -Lf /var/log/snmp-traps

Note: Versions 5.3 and later of snmptrapd apply access control checks to all incoming notifications instead of accepting and logging them automatically (even if no explicit configuration was provided). If you run snmptrapd without suitable access control settings, then it does not process those traps. You can avoid this by specifying:

# snmptrapd -Lf /var/log/snmp-traps --disableAuthorization=yes

To see the version of snmptrapd, run snmptrapd --version from the command prompt.

Troubleshoot problems with SNMP

If you experience problems sending SNMP traps to Splunk Enterprise, consider that:

  • UDP port 162 is a privileged network port. If you need to use this port, then you must run snmptrapd as root.
  • You can use the -f flag to keep snmptrapd in the foreground while testing.
  • You can use the -Lo flags instead of -Lf to log to standard output.
  • You can use the snmptrapd command to generate an example trap, as in:

# snmptrap -v2c -c public localhost 1 1

For Windows

To log SNMP traps to a file on Windows:

1. Download and install the latest version of NET-SNMP for Windows from the NET-SNMP website.

Note: The OpenSSL library must not be installed on the system because it conflicts with NET-SNMP.

2. Register snmptrapd as a service using the script included in the NET-SNMP install.

3. Edit C:\usr\etc\snmp\snmptrapd.conf:

snmpTrapdAddr [System IP]:162
authCommunity log [community string]

4. The default log location is C:\usr\log\snmptrapd.log

Use Management Information Bases (MIBs)

Management Information Bases (MIBs) provide a map between numeric object IDs (OIDs) reported by the SNMP trap and a textual human readable form. Though snmptrapd can work without any MIB files at all, it won't display the results in exactly the same way.

The vendor of the device you receive SNMP traps from can provide a specific MIB. For example, all Cisco device MIBs can be located using the online Cisco SNMP Object Navigator.

There are two steps required to add a new MIB file:

1. Download and copy the MIB file into the MIB search directory. On the *nix version of Net-SNMP, the default location is /usr/local/share/snmp/mibs. You can set a different directory by providing the -m argument to snmptrapd.

2. Instruct snmptrapd to load the MIB(s) by passing a colon-separated list to the -m argument.

Note:

  • If you add a leading '+' character for the parameters in the -m argument, snmptrapd loads the MIB in addition to the default list, instead of overwriting the list.
  • The special keyword ALL tells snmptrapd to load all MIB modules in the MIB directory.

For example, to load all MIB modules in the MIB directory:

     snmptrapd -m +ALL

This documentation applies to the following versions of Splunk: 4.2 , 4.2.1 , 4.2.2 , 4.2.3 , 4.2.4 , 4.2.5 , 4.3 , 4.3.1 , 4.3.2 , 4.3.3 , 4.3.4 , 4.3.5 , 4.3.6 , 4.3.7 , 5.0 , 5.0.1 , 5.0.2 , 5.0.3 , 5.0.4 , 5.0.5 , 5.0.6 , 5.0.7 , 5.0.8 , 5.0.9 , 5.0.10 , 5.0.11 , 5.0.12 , 5.0.13 , 6.0 , 6.0.1 , 6.0.2 , 6.0.3 , 6.0.4 , 6.0.5 , 6.0.6 , 6.0.7 , 6.0.8 , 6.0.9 , 6.1 , 6.1.1 , 6.1.2 , 6.1.3 , 6.1.4 , 6.1.5 , 6.1.6 , 6.1.7 , 6.1.8 , 6.2.0 , 6.2.1 , 6.2.2 , 6.2.3 View the Article History for its revisions.


Comments

In response to questions about SNMP support, Splunk Enterprise supports SNMP v.3.

Vgenovese
October 27, 2014

... or just use the SNMP Modular Input: http://apps.splunk.com/app/1537

Steven swor
September 24, 2014

Please mention/clarify the version numbers of SNMP supported by Splunk Enterprise.

Miteshvohra
August 3, 2014

What about SNMPv3? Some environments are mandating its use over v2c.

Bryansampsel
March 5, 2012

This is great, but what about SNMP polling?

Msarro
February 10, 2012

You must be logged into splunk.com in order to post comments. Log in now.

Was this documentation topic helpful?

If you'd like to hear back from us, please provide your email address:

We'd love to hear what you think about this topic or the documentation as a whole. Feedback you enter here will be delivered to the documentation team.

Feedback submitted, thanks!