Send SNMP events to Splunk
Contents
Send SNMP events to Splunk
| Important:
The procedures shown in this topic (for both *nix and Windows) are examples only. You can accomplish the task of sending SNMP traps to Splunk in a number of ways. For example, instead of Net-SNMP, you can use other tools, such as Snare or SNMPGate, to write SNMP traps to file storage for monitoring by Splunk. |
Simple Network Management Protocol (SNMP) traps are alerts fired off by remote devices. This topic describes how to receive and index SNMP traps at the Splunk indexer.
Note: For information on how to use Splunk as a monitoring tool to send SNMP alerts to other systems, such as a Network Management System console, read "Send SNMP traps to other systems" in the Alerting Manual.
How to index SNMP traps
The most effective way to index SNMP traps is to first write them to a file on the Splunk server. Then, configure Splunk to monitor the file.
There are three steps to this:
1. Configure the remote devices to send their traps directly to the Splunk server's IP address.The default port for SNMP traps is udp:162.
2. Write the SNMP traps to a file on the Splunk server, as described later in this topic.
3. Configure Splunk to monitor the file, as described in "Monitor files and directories".
Note: This topic does not cover SNMP polling, which is a way to query remote devices.
Write SNMP traps to a file on the Splunk server
Important: The following procedures shown in this topic (for both *nix and Windows) are examples only. You can accomplish the task of sending SNMP traps to Splunk in a number of ways. For example, instead of Net-SNMP, you can use other tools, such as Snare or SNMPGate, to write SNMP traps to file storage for monitoring by Splunk.
For information about available SNMP software, visit the SNMP portal (http://www.snmplink.org) website.
For *nix
On *nix, you can use the Net-SNMP project's snmptrapd to write SNMP traps to a file.
Before installing snmptrapd on your system, refer to the following documentation:
- Any local documentation for your distribution's packaging of the tool (this depends on the *nix distribution you use; for Red Hat or CentOS Linux, a
net-snmpRPM package is available, for example. If no installer package is available, you might have to build the package from source files.) - The documentation here: [The manual page http://net-snmp.sourceforge.net/docs/man/snmptrapd.html] (http://net-snmp.sourceforge.net/docs/man/snmptrapd.html) for
snmptrapd.
The simplest configuration is:
# snmptrapd -Lf /var/log/snmp-traps
Note: Previously, snmptrapd would accept all incoming notifications, and log them automatically (even if no explicit configuration was provided). Starting with snmptrapd release 5.3 (check with snmptrapd --version), access control checks will be applied to all incoming notifications. If snmptrapd is run without suitable access control settings, then such traps will not be processed. You can avoid this by specifying:
# snmptrapd -Lf /var/log/snmp-traps --disableAuthorization=yes
Troubleshooting:
- If you keep the default listening port of 162, which is a privileged port, you must run
snmptrapdas root. - Use the
-fflag to keepsnmptrapdin the foreground while testing. Use-Loinstead of-Lfto log to standard output. - You can use the
snmptrapdcommand to generate an example trap, as in:
# snmptrap -v2c -c public localhost 1 1
For Windows
To log SNMP traps to a file on Windows:
1. Download and install NET-SNMP for Windows from the Net-SNMP website.
Important: Make sure to download the latest version available for your system. Also, make sure that OpenSSL version 1.0 or later is not installed on the system.
2. Register snmptrapd as a service using the script included in the NET-SNMP install.
3. Edit C:\usr\etc\snmp\snmptrapd.conf:
snmpTrapdAddr [System IP]:162 authCommunity log [community string]
4. The default log location is C:\usr\log\snmptrapd.log
Use Management Information Bases (MIBs)
Management Information Bases (MIBs) provide a map between numeric object IDs (OIDs) reported by the SNMP trap and a textual human readable form. Though snmptrapd can work without any MIB files at all, it won't display the results in exactly the same way.
The vendor of the device you receive SNMP traps from can provide a specific MIB. For example, all Cisco device MIBs can be located using the online Cisco SNMP Object Navigator.
There are two steps required to add a new MIB file:
1. Download and copy the MIB file into the MIB search directory. On the *nix version of Net-SNMP, the default location is /usr/local/share/snmp/mibs, although you can set a different directory by providing the -m argument to snmptrapd.
2. Instruct snmptrapd to load the MIB(s) by passing a colon separated list to the -m argument. There are two important details here:
- Adding a leading '+' character will load the MIB in addition to the default list, instead of overwriting the list.
- The special keyword
ALLtellssnmptrapdto load all MIB modules in the MIB directory.
The safest argument seems to be: -m +ALL:
snmptrapd -m +ALL
This documentation applies to the following versions of Splunk: 4.2 , 4.2.1 , 4.2.2 , 4.2.3 , 4.2.4 , 4.2.5 , 4.3 , 4.3.1 , 4.3.2 , 4.3.3 , 4.3.4 , 4.3.5 , 4.3.6 , 5.0 , 5.0.1 , 5.0.2 View the Article History for its revisions.
Comments
This is great, but what about SNMP polling?
What about SNMPv3? Some environments are mandating its use over v2c.