Splunk® IT Service Intelligence

Administer Splunk IT Service Intelligence

Download manual as PDF

Download topic as PDF

Ingest SNMP traps in ITSI

Simple Network Management Protocol (SNMP) is an application-layer protocol used to manage and monitor network devices and their functions. Learn how to ingest SNMP traps into Splunk enterprise and feed them into ITSI Episode Review for easy review and correlation.

After you configure Splunk enterprise and ITSI to receive and process SNMP traps, enable the default correlation search and aggregation policy to view and triage the traps in Episode Review. For more information, see Triage episodes in ITSI in the Splunk ITSI User Manual.

Prerequisites

  1. To ingest SNMP traps in ITSI, you must install and configure snmptrapd, an application that receives and logs SNMP TRAP and INFORM messages and resolves them using vendor Management Information Bases (MIBs). Before you install snmptrapd on your system, see the manual page for snmptrapd.
  2. To configure the logging format, open snmptrapd.conf and add the following stanza:
    # snmptrapd formatting
    #http://www.net-snmp.org/wiki/index.php/TUT:Configuring_snmptrapd_to_parse_MIBS
    _from_3rd_party_Vendors
    
    # SNMPV1
    
    format1 Agent_Address = %A\nAgent_Hostname = %B\nDate = %#y-%#02.2m-%#02.2l
    %#02.2h:%#02.2j:%#02.2k\nEnterprise_OID = %N \nTrap_Type = %w\nTrap_SubType =
    %q\nCommunity_Infosec_Context = %P\nUptime = %T\nDescription =
    %W\nPDU_Attribute_Value_Pair_Array:\n%V\n%v\n---\n
    
    # SNMPV2
    
    format2 Agent_Address = %A\nAgent_Hostname = %B\nDate = %#y-%#02.2m-%#02.2l 
    %#02.2h:%#02.2j:%#02.2k\nEnterprise_OID = %N\nTrap_Type = %w\nTrap_SubType = 
    %q\nCommunity_Infosec_Context = %P\nUptime = %T\nDescription = 
    %W\nPDU_Attribute_Value_Pair_Array:\n%V\n%v\n---\n
    

Steps

Perform the following steps to ingest SNMP traps into ITSI:

  1. Send SNMP events to your Splunk deployment.
  2. Configure the snmptrapd index.
  3. Enable the SNMP correlation search and aggregation policy.

Send SNMP events to your Splunk deployment

For instructions on getting SNMP events into your Splunk deployment, see Send SNMP events to your Splunk deployment in the Splunk Enterprise Getting Data In manual.

Configure the snmptrapd index

After you install and configure snmptrapd, you need to tell Splunk software and ITSI where to find the SNMP data and how to parse it. Use the following ITSI configuration files to instruct Splunk software to monitor the file that snmptrapd is writing to, and to parse and extract the key-value pairs that make up important information contained in the traps.

Where you deploy these configurations depends on the type of Splunk deployment you have. For more information, see Overview of installing IT Service Intelligence in a distributed environment.

inputs.conf

Add the following stanza to the local version of inputs.conf:

[monitor:///var/log/snmptrapd.log]
disabled = false
index = snmptrapd
sourcetype = snmptrapd

This stanza tells your Splunk instance where to look for your data. Deploy this configuration on forwarders or Splunk instances co-located with snmptrapd.

props.conf

Add the following stanza to the local version of props.conf:

[snmptrapd]
DATETIME_CONFIG =
KV_MODE = none
LINE_BREAKER = ([\r\n]+)Agent_Address\s=
MAX_TIMESTAMP_LOOKAHEAD = 30
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = false
TIME_FORMAT = %Y-%m-%d %H:%M:%S
TIME_PREFIX = Date\s=\s
TZ = UTC
category = Custom
description = parse snmptrapd logging with custom kvpair splunk formatting
disabled = false
pulldown_type = true
EXTRACT-node = ^[^\[\n]*\[(?P<node>[^\]]+)
REPORT-snmptrapd = snmptrapd_kv

This stanza sets line-breaking rules and extracts the timestamp. In this case, the timestamp is the time that the snmptrapd server received the trap. This stanza also ensures that Splunk knows how to parse the time format.

Deploy this configuration to your heavy forwarder, indexer, and search heads.

transforms.conf

Add the following stanza to the local version of transforms.conf:

[snmptrapd_kv]
DELIMS = "\n"   "="

This stanza extracts all key-value pairs in the SNMP trap. Deploy this configuration to your heavy forwarder, indexer, and/or search heads.

default.meta.conf

Add the following stanza to the local version of default.meta.conf:

[]
access = read : [ * ], write : [ admin ]
export = system

This stanza includes a local.meta.conf file in the ITSI application that exports permissions to the system. Deploy this configuration on your search heads.

Enable the SNMP correlation search and aggregation policy

ITSI provides the following default correlation search and aggregation policy for processing SNMP traps:

SNMP Traps
A default correlation search that generates a notable event for each SNMP trap received through Splunk.
Default SNMP Policy
A default notable event aggregation policy that aggregates individual SNMP trap events into episodes in Episode Review.

Steps

  1. To enable the correlation search, click Configure > Correlation Searches and enable the SNMP Traps search in the Status column.
  2. To enable the aggregation policy, click Configure > Notable Event Aggregation Policies and enable the Default SNMP Policy in the Status column.
PREVIOUS
Ingest third-party alerts as ITSI notable events
  NEXT
Use the Notable Event Actions SDK

This documentation applies to the following versions of Splunk® IT Service Intelligence: 4.2.0, 4.2.1, 4.2.2, 4.2.3, 4.3.0, 4.3.1


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters