Splunk Base : SplunkAdministration : #4049

SNMP Traps for IPS

mohmed935 — Tue, 02 Mar 2010 10:47:54 PST

Here is my snmptrapd.conf

###########################################################################
#

snmptrapd.conf

- created by the snmpconf configuration program

#
###########################################################################

SECTION: Authentication options

Authentication options

ignoreauthfailure: Ignore authentication failure traps
arguments: (1|yes|true|0|no|false)

ignoreauthfailure 0

###########################################################################

SECTION: Output formatting for traps received.

Output from snmptrapd is formatted according to the
rules defined by the formatting configuration directives.

format2: How SNMPv2 and SNMPv3 traps are formatted.
See the snmptrapd.conf manual page for format string details.
arguments: formatstring

format2 stderr

###########################################################################

SECTION: Logging options

Logging options

donotlogtraps: Prevent traps from being logged
Useful when you only want to use traphandles
arguments: (1|yes|true|0|no|false)

donotlogtraps 1

logoption: Set options controlling where to log to
See -L options in the snmptrapd.conf man page

logoption "-Lf D:\IPSLogs\trapsnmp.txt"

###########################################################################

SECTION: Trap Handlers

Here we define what programs are run when a trap is
received by the trap receiver.

traphandle: When traps are received, a program can be run.
When traps are received, the list of configured trap
handles is consulted and any configured program is run.
If no handler is found, any handler with "default" as the
traphandle type is run instead. The information contained
in trap is passed to the program via standard input (see
the snmptrapd.conf manual page for details).
arguments: oid|"default" program args

traphandle default

snmp.conf

###########################################################################
#

snmp.conf

- created by the snmpconf configuration program

#
###########################################################################

SECTION: Default Authentication Options

This section defines the default authentication
information. Setting these up properly in your
~/.snmp/snmp.conf file will greatly reduce the amount of
command line arguments you need to type (especially for snmpv3).

defaultport: The default port number to use
This token specifies the default port number you want packets to
be sent to and received from.
override: with -p on the command line.
arguments: portnum

defaultport

defversion: The default snmp version number to use.
override: with -v on the command line.
arguments: 1|2c|3

defversion 2c

###########################################################################

SECTION: Textual mib parsing

This section controls the textual mib parser. Textual
mibs are parsed in order to convert OIDs, enumerated
lists, and ... to and from textual representations
and numerical representations.

mibdirs: Specifies directories to be searched for mibs.
Adding a '+' sign to the front of the argument appends the new
directory to the list of directories already being searched.
arguments: [+]directory[:directory...]

mibdirs C:/usr/share/snmp/mibs

Unknown directives read in from other files by snmpconf

#
persistentDir C:/usr/snmp/persist
tempFilePattern C:/usr/temp/snmpdXXXXXX

SNMP Traps for IPS

mohmed935 — Mon, 01 Mar 2010 12:07:38 PST

Hi Duncan ,

can u help in taking further steps ?

'Thanks,
Mateen.

SNMP Traps for IPS

mohmed935 — Sat, 27 Feb 2010 11:52:43 PST

Hello Duncan,

Firstly, i thank you for guidance.

I 'm trying to write snmptrad.conf but finding it difficult. But 'l keep on trying too.

It would be easy for me, if u can guide step by step procedure from begining ?

Thanks,
Mateen

SNMP Traps for IPS

dart — Thu, 25 Feb 2010 04:07:20 PST

Hi Mateen,

The script you have is for sending SNMP traps, not receiving them.

You do need the Net-SNMP tools. You want to run the snmpconf tool and configure snmptrapd to write to a file. Then add the file as an input. The only default settings you need to change are the security options, to allow all hosts or just specified hosts to send snmp traps.

Thanks

Duncan Turnbull
Satisnet Technical Services
EMEA Splunk Partner

SNMP Traps for IPS

mohmed935 — Wed, 24 Feb 2010 03:02:52 PST

Hi,

I have Splunk 4.0.9 installed on windows server 2008.

i need to get snmp traps from IBM Proventia IPS.
SNMP is enabled on IPS

Configuration on Splunk end:

I have installed Net-SNMP and configured script below as per link

http://www.splunk.com/wiki/Community:Sending_SNMP_Traps_On_Windows

Script

setlocal

set SNMPAGENTHOST=10.151.2.103 ---> Splunk IP address, Netsnmp installed
set SNMPAGENTPORT=162
set OID=1.3.6.1.4.1.27389.1.1 ---> confused at OID
set SNMPCOMMUNITY=public --> string as per configured on IPS
set SNMPTRAPCMD=C:\usr\bin\snmptrap.exe
for /f "usebackq" %%h in (`hostname`) do @set myhost=%%h
set num=%~1
set num=%num:'=%
set terms=%2
set query=%3
set sname=%4
set reason=%5
set permalink=%6
if "%8" == "" (
set resultspath=%7
) else (
set tags=%7
set resultspath=%8
)

if "%8" == "" (
"%SNMPTRAPCMD%" -v 2c -c %SNMPCOMMUNITY% %SNMPAGENTHOST%:%SNMPAGENTPORT% host-uptime %OID% %OID%.1 i %num% %OID%.2 s %terms% %OID%.3 s %query% %OID%.4 s %sname% %OID%.5 s %reason% %OID%.6 s %permalink% %OID%.8 s %resultspath%
) ELSE (
"%SNMPTRAPCMD%" -v 2c -c %SNMPCOMMUNITY% %SNMPAGENTHOST%:%SNMPAGENTPORT% host-uptime %OID% %OID%.1 i %num% %OID%.2 s %terms% %OID%.3 s %query% %OID%.4 s %sname% %OID%.5 s %reason% %OID%.6 s %permalink% %OID%.8 s %resultspath% %OID%.7 s %tags%
)

endlocal

above script resides in splunk home\bin \scripts\sendsnmptrap.cmd

i have configured splunk and scheduled script to run at 60secs interval through data inputs.

Perl 5.10 is installed.

I 'm not receving traps in splunk.

can i get guidance how can i troubleshoot further ?

Thanks,
Mateen.