
Send SNMP events to your Splunk deployment
Simple Network Management Protocol (SNMP) traps are alerts that remote devices send out. This topic describes how to send SNMP traps to a Splunk deployment.
Note: The procedures shown in this topic (for both *nix and Windows) are examples only. There are a number of ways to send SNMP traps to a Splunk deployment. For example, instead of using Net-SNMP, you can use other tools, such as Snare or SNMPGate, to write SNMP traps to files that you can monitor.
How to index SNMP traps
For Splunk Enterprise, the most effective way to index SNMP traps is to write them to a file on the Splunk Enterprise server and configure Splunk Enterprise to monitor the file. If you have Splunk Cloud, write the data to a file that is monitored by the Splunk Universal Forwarder.
To configure Splunk Enterprise to consume a SNMP trap data:
1. Configure the remote devices to send their traps directly to the Splunk Enterprise instance IP address. The default port for SNMP traps is udp:162
.
2. Write the SNMP traps to a file on the Splunk Enterprise instance, as described in "Write SNMP traps to a file on the Splunk Enterprise server."
3. Configure Splunk Enterprise to monitor the file, as described in "Monitor files and directories".
Note: This topic does not cover SNMP polling, which is a way to query remote devices.
Write SNMP traps to a file on the Splunk Enterprise instance
Use your favorite SNMP software to write the SNMP traps to a file. For information about available SNMP software, visit the SNMP portal (http://www.snmplink.org) website.
For *nix
On *nix, you can use the Net-SNMP project snmptrapd
binary to write SNMP traps to a file.
Before you install snmptrapd
on your system, see the local documentation for the version of snmptrapd
that comes with your distribution of *nix. See also the manual page for snmptrapd
.
The simplest configuration is:
# snmptrapd -Lf /var/log/snmp-traps
Note: Versions 5.3 and later of snmptrapd
apply access control checks to all incoming notifications instead of accepting and logging them automatically (even if no explicit configuration was provided). If you run snmptrapd
without suitable access control settings, then it does not process those traps. You can avoid this by specifying:
# snmptrapd -Lf /var/log/snmp-traps --disableAuthorization=yes
To see the version of snmptrapd
, run snmptrapd --version
from the command prompt.
Troubleshoot problems with SNMP
If you experience problems sending SNMP traps to your Splunk deployment, consider that:
- UDP port 162 is a privileged network port. If you need to use this port, then you must either run
snmptrapd
as root or specifysnmptrapd
with a port that is higher than 1024. - You can use the
-f
flag to keepsnmptrapd
in the foreground while testing. - You can use the
-Lo
flags instead of-Lf
to log to standard output. - You can use the
snmptrap
command to generate an example trap, as in:
# snmptrap -v2c -c public localhost 1 1
For Windows
To log SNMP traps to a file on Windows.
1. Download and install the latest version of NET-SNMP
for Windows from the NET-SNMP website.
Note: The OpenSSL library must not be installed on the system because it conflicts with NET-SNMP.
2. Register snmptrapd
as a service using the script included in the NET-SNMP
install.
3. Edit C:\usr\etc\snmp\snmptrapd.conf
:
snmpTrapdAddr [System IP]:162 authCommunity log [community string]
4. The default log location is C:\usr\log\snmptrapd.log
Use Management Information Bases (MIBs)
Management Information Bases (MIBs) provide a map between numeric object IDs (OIDs) reported by the SNMP trap and a textual human readable form. Though snmptrapd
can work without any MIB files at all, it won't display the results in exactly the same way.
The vendor of the device you receive SNMP traps from can provide a specific MIB. For example, all Cisco device MIBs can be located using the online Cisco SNMP Object Navigator.
To add a new MIB file:
1. Download and copy the MIB file into the MIB search directory. On the *nix version of Net-SNMP, the default location is /usr/local/share/snmp/mibs
. You can set a different directory by providing the -m
argument to snmptrapd
.
2. Instruct snmptrapd
to load the MIB(s) by passing a colon-separated list to the -m
argument.
Note:
- If you add a leading '+' character for the parameters in the
-m
argument,snmptrapd
loads the MIB in addition to the default list, instead of overwriting the list. - The special keyword
ALL
tellssnmptrapd
to load all MIB modules in the MIB directory.
For example, to load all MIB modules in the MIB directory:
snmptrapd -m +ALL
PREVIOUS How Splunk Enterprise handles syslog data over UDP |
NEXT Monitoring Windows data with Splunk Enterprise |
This documentation applies to the following versions of Splunk® Enterprise: 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.4.10, 6.4.11, 6.5.0, 6.5.1, 6.5.1612 (Splunk Cloud only), 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.5.7, 6.5.8, 6.5.9, 6.5.10, 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 6.6.5, 6.6.6, 6.6.7, 6.6.8, 6.6.9, 6.6.10, 6.6.11, 6.6.12, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 8.0.0
Feedback submitted, thanks!