Forums: SplunkAdministration: SNMP Traps for IPS

Hi,

I have Splunk 4.0.9 installed on windows server 2008.

i need to get snmp traps from IBM Proventia IPS.
SNMP is enabled on IPS

Configuration on Splunk end:

I have installed Net-SNMP and configured script below as per link

http://www.splunk.com/wiki/Community:Sending_SNMP_Traps_On_Windows

Script

setlocal

set SNMPAGENTHOST=10.151.2.103 ---> Splunk IP address, Netsnmp installed
set SNMPAGENTPORT=162
set OID=1.3.6.1.4.1.27389.1.1 ---> confused at OID
set SNMPCOMMUNITY=public --> string as per configured on IPS
set SNMPTRAPCMD=C:\usr\bin\snmptrap.exe
for /f "usebackq" %%h in (`hostname`) do @set myhost=%%h
set num=%~1
set num=%num:'=%
set terms=%2
set query=%3
set sname=%4
set reason=%5
set permalink=%6
if "%8" == "" (
set resultspath=%7
) else (
set tags=%7
set resultspath=%8
)

if "%8" == "" (
"%SNMPTRAPCMD%" -v 2c -c %SNMPCOMMUNITY% %SNMPAGENTHOST%:%SNMPAGENTPORT% host-uptime %OID% %OID%.1 i %num% %OID%.2 s %terms% %OID%.3 s %query% %OID%.4 s %sname% %OID%.5 s %reason% %OID%.6 s %permalink% %OID%.8 s %resultspath%
) ELSE (
"%SNMPTRAPCMD%" -v 2c -c %SNMPCOMMUNITY% %SNMPAGENTHOST%:%SNMPAGENTPORT% host-uptime %OID% %OID%.1 i %num% %OID%.2 s %terms% %OID%.3 s %query% %OID%.4 s %sname% %OID%.5 s %reason% %OID%.6 s %permalink% %OID%.8 s %resultspath% %OID%.7 s %tags%
)

endlocal

above script resides in splunk home\bin \scripts\sendsnmptrap.cmd

i have configured splunk and scheduled script to run at 60secs interval through data inputs.

Perl 5.10 is installed.

I 'm not receving traps in splunk.

can i get guidance how can i troubleshoot further ?

Thanks,
Mateen.

Hi Mateen,

The script you have is for sending SNMP traps, not receiving them.

You do need the Net-SNMP tools. You want to run the snmpconf tool and configure snmptrapd to write to a file. Then add the file as an input. The only default settings you need to change are the security options, to allow all hosts or just specified hosts to send snmp traps.

Thanks

Duncan Turnbull
Satisnet Technical Services
EMEA Splunk Partner

Hello Duncan,

Firstly, i thank you for guidance.

I 'm trying to write snmptrad.conf but finding it difficult. But 'l keep on trying too.

It would be easy for me, if u can guide step by step procedure from begining ?

Thanks,
Mateen

Hi Duncan ,

can u help in taking further steps ?

'Thanks,
Mateen.

Here is my snmptrapd.conf

###########################################################################
#

1. snmptrapd.conf

#

1. - created by the snmpconf configuration program

#
###########################################################################

1. SECTION: Authentication options

#

1. Authentication options

1. ignoreauthfailure: Ignore authentication failure traps
2. arguments: (1|yes|true|0|no|false)

ignoreauthfailure 0

###########################################################################

1. SECTION: Output formatting for traps received.

#

1. Output from snmptrapd is formatted according to the
2. rules defined by the formatting configuration directives.

1. format2: How SNMPv2 and SNMPv3 traps are formatted.
2. See the snmptrapd.conf manual page for format string details.
3. arguments: formatstring

format2 stderr

###########################################################################

1. SECTION: Logging options

#

1. Logging options

1. donotlogtraps: Prevent traps from being logged
2. Useful when you only want to use traphandles
3. arguments: (1|yes|true|0|no|false)

donotlogtraps 1

1. logoption: Set options controlling where to log to
2. See -L options in the snmptrapd.conf man page

logoption "-Lf D:\IPSLogs\trapsnmp.txt"

###########################################################################

1. SECTION: Trap Handlers

#

1. Here we define what programs are run when a trap is
2. received by the trap receiver.

1. traphandle: When traps are received, a program can be run.
2. When traps are received, the list of configured trap
3. handles is consulted and any configured program is run.
4. If no handler is found, any handler with "default" as the
5. traphandle type is run instead. The information contained
6. in trap is passed to the program via standard input (see
7. the snmptrapd.conf manual page for details).
9. arguments: oid|"default" program args

traphandle default

snmp.conf

###########################################################################
#

1. snmp.conf

#

1. - created by the snmpconf configuration program

#
###########################################################################

1. SECTION: Default Authentication Options

#

1. This section defines the default authentication
2. information. Setting these up properly in your
3. ~/.snmp/snmp.conf file will greatly reduce the amount of
4. command line arguments you need to type (especially for snmpv3).

1. defaultport: The default port number to use
2. This token specifies the default port number you want packets to
3. be sent to and received from.
4. override: with -p on the command line.
5. arguments: portnum

defaultport

1. defversion: The default snmp version number to use.
2. override: with -v on the command line.
3. arguments: 1|2c|3

defversion 2c

###########################################################################

1. SECTION: Textual mib parsing

#

1. This section controls the textual mib parser. Textual
2. mibs are parsed in order to convert OIDs, enumerated
3. lists, and ... to and from textual representations
4. and numerical representations.

1. mibdirs: Specifies directories to be searched for mibs.
2. Adding a '+' sign to the front of the argument appends the new
3. directory to the list of directories already being searched.
4. arguments: [+]directory[:directory...]

mibdirs C:/usr/share/snmp/mibs

#

1. Unknown directives read in from other files by snmpconf

#
persistentDir C:/usr/snmp/persist
tempFilePattern C:/usr/temp/snmpdXXXXXX