SNMP Modular Input v1.8.5

IMPORTANT

The Python code in this App is dual 2.7/3 compatible. This version of the App enforces Python 3 for execution of the modular input script when running on Splunk 8+ in order to satisfy Splunkbase AppInspect requirements. If running this App on Splunk versions prior to 8 , then Python 2.7 will get executed.

Overview

This is a Splunk modular input add-on for polling SNMP attributes and catching traps.

Activation Key

You require an activation key to use this App. Visit http://www.baboonbones.com/#activation to obtain a non-expiring key

Features

• Simple UI based configuration
• Capture SNMP traps (Splunk becomes a SNMP trap daemon in its own right)
• Poll SNMP object attributes (GET , GETNEXT and GETBULK)
• SNMP version 1,2c and 3 support
• Declare objects to poll in textual or numeric format
• Ships with a wide selection of standard industry MIBs
• Add in your own Custom MIBs
• SNMP Walk object trees or whole MIBs
• Optionally index bulk results as individual events in Splunk
• Monitor 1 or more Objects per stanza
• Create as many SNMP input stanzas as you require
• IPv4 and IPv6 support
• Indexes SNMP events in key=value semantic format
• Plug in your own custom response handler for formatting or pre-processing
• Ships with some additional custom field extractions
• Full encryption support for declaring any sensitive credentials

Dependencies

• Splunk 5.0+
• Supported on all Splunk Operating Systems

Setup

• Untar the release to your $SPLUNK_HOME/etc/apps directory
• Restart Splunk
• Login and Browse to the SNMP App's landing page

Using SNMP Version 3

Because the Python version shipped with Splunk doesn't have the required libraries (namely pycryptodomex & ctypes) , you need to use a System Python installation when using SNMP Version 3.

So , under your System Python installation :

1) Install the pycryptodomex package

pip install pycryptodomex

2) Then when you configure your v3 input or trap listener in Splunk , select the option to use the System Python runtime

Setting up SNMPv3 USM Users

If you only need to setup a single SNMPv3 USM User for polling attributes or receiving traps then you can do so via the Data Inputs SNMP stanza setup page, or by editing inputs.conf manually.

If you need to setup multiple USM Users for receiving traps on the same port , then you can do so in the snmp_ta/default/snmpv3_usm_users.conf file.

IMPORTANT : For receiving traps , SNMPv3 USM Username and SNMPv3 USM Engine ID must match what is configured in the Trap sending device.

Adding Custom MIBs

Many industry standard MIBs ship with the Modular Input.

You can see which MIBs are available by default by looking in SPLUNK_HOME/etc/apps/snmp_ta/bin/mibs/pysnmp_mibs

Any additional custom vendor MIBs can be added by :

1) placing the plaintext MIB file in SPLUNK_HOME/etc/apps/snmp_ta/bin/mibs/user_plaintext_mibs , they will be automatically compiled at runtime

or

2) precompiling the plaintext MIB into a python module and placing in SPLUNK_HOME/etc/apps/snmp_ta/bin/mibs/user_python_mibs

You can use the utility script SPLUNK_HOME/etc/apps/snmp_ta/bin/mibdump.py to precompile plaintext mibs.

Example : This command will compile the plaintext MIB CISCO-SMI.txt from the mibs/user_plaintext_mibs directory into a python module and output it to mibs/user_python_mibs/CISCO-SMI.py

Change into the snmp_ta/bin directory and run :

python mibdump.py --destination-directory=mibs/user_python_mibs --mib-source=mibs/common_plaintext_mibs --mib-source=mibs/user_plaintext_mibs CISCO-SMI

Then , on the configuration screen for the SNMP input , there is a field called “MIB Names”.

Here you can specify the MIB names you want applied to your OIDs ie: IF-MIB,DNS-SERVER-MIB,BRIDGE-MIB

Sourcetypes

The following sourcetypes are available by default :

• snmp_attributes
• snmp_traps

These sourcetypes just have some basic timestamp and field extractions based on the out of the box functionality and data formats. Of course , you are free to create your own custom sourcetypes as you require also.

Encryption of credentials

If you require an encrypted credential in your configuration , then you can enter it on the setup page.

Then in your configration stanza refer to it in the format {encrypted:somekey}

Where somekey is any value you choose to enter on the setup page to refer to your credential.

Custom Response Handlers

You can provide your own custom Response Handler. This is a Python class that you should add to the snmp_ta/bin/responsehandlers.py module.

You can then declare this class name and any parameters in the SNMP Modular Input setup page.

For the most part the Default Response Handler should suffice.

But there may be situations where you want to format the response in a manner that is more convenient for handling your data ie: CSV or JSON.

Furthermore , you can also use a custom Response Handler implementation to perform preprocessing of your raw response data before sending it to Splunk.

Logging

Modular Input logs will get written to $SPLUNK_HOME/var/log/splunk/snmpmodinput_app_modularinput.log

Setup logs will get written to $SPLUNK_HOME/var/log/splunk/snmpmodinput_app_setuphandler.log

These logs are rotated daily with a backup limit of 5.

The Modular Input logging level can be specified in the input stanza you setup. The default level is INFO.

You can search for these log sources in the _internal index or browse to the Logs menu item on the App's navigation bar.

Support

BaboonBones.com offer commercial support for implementing and any questions pertaining to this App.