Ingest SNMP traps into ITSI

Ingest SNMP traps into Splunk Enterprise and feed them into ITSI for easy review and correlation. After you configure Splunk Enterprise and ITSI to receive and process SNMP traps, enable the default correlation search and aggregation policy to view and triage the traps in Episode Review.

Prerequisite

Requirement Description
ITSI role You must have the write_itsi_correlation_search capability to ingest SNMP traps into ITSI. The itoa_admin and itoa_team_admin ITSI roles have this capabilities by default.

Step 1: Install and configure snmptrapd

  1. To ingest SNMP traps in ITSI, you must install and configure snmptrapd, an application that receives and logs SNMP TRAP and INFORM messages and resolves them using vendor Management Information Bases (MIBs). Before you install snmptrapd on your system, see SNMPTRAPD manual page.
  2. To configure the logging format, open snmptrapd.conf and add the following stanza: 
    # snmptrapd formatting
#http://www.net-snmp.org/wiki/index.php/TUT:Configuring_snmptrapd_to_parse_MIBS
_from_3rd_party_Vendors

# SNMPV1

format1 Agent_Address = %A\nAgent_IP = %b\nAgent_Hostname = %B\nDate = %#y-%#02.2m-%#02.2l %#02.2h:%#02.2j:%#02.2k\nEnterprise_OID = %N\nTrap_Type = %w\nTrap_SubType = %q\nCommunity_Infosec_Context = %P\nUptime = %T\nDescription = %W\nPDU_Attribute_Value_Pair_Array:\n%V\n%v\n---\n

# SNMPV2

format2 Agent_Address = %A\nAgent_IP = %b\nAgent_Hostname = %B\nDate = %#y-%#02.2m-%#02.2l %#02.2h:%#02.2j:%#02.2k\nEnterprise_OID = %N\nTrap_Type = %w\nTrap_SubType = %q\nCommunity_Infosec_Context = %P\nUptime = %T\nDescription = %W\nPDU_Attribute_Value_Pair_Array:\n%V\n%v\n---\n

Step 2: Send SNMP events to your Splunk deployment

For instructions on getting SNMP events into your Splunk deployment, see Send SNMP events to your Splunk deployment in the Splunk Enterprise Getting Data In manual.

Step 3: Configure the snmptrapd index

After you install and configure snmptrapd, you need to tell Splunk software and ITSI where to find the SNMP data and how to parse it. Use the following ITSI configuration files to instruct Splunk software to monitor the file that snmptrapd is writing to, and to parse and extract the key-value pairs that make up important information contained in the traps.

Note: Where you deploy these configurations depends on the type of Splunk deployment you have. For more information, see Where to install IT Service Intelligence in a distributed environment.

inputs.conf

Add the following stanza to the local version of inputs.conf: 

[monitor:///var/log/snmptrapd.log]
disabled = false
index = snmptrapd
sourcetype = snmptrapd

This stanza tells your Splunk instance where to look for your data. Deploy this configuration on forwarders or Splunk instances co-located with snmptrapd.

props.conf

Add the following stanza to the local version of props.conf: 

[snmptrapd]
DATETIME_CONFIG =
KV_MODE = none
LINE_BREAKER = ([\r\n]+)Agent_Address\s=
MAX_TIMESTAMP_LOOKAHEAD = 30
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = false
TIME_FORMAT = %Y-%m-%d %H:%M:%S
TIME_PREFIX = Date\s=\s
TZ = UTC
category = Custom
description = parse snmptrapd logging with custom kvpair splunk formatting
disabled = false
pulldown_type = true
EXTRACT-node = ^[^\[\n]*\[(?P<node>[^\]]+)
REPORT-snmptrapd = snmptrapd_kv

This stanza sets line-breaking rules and extracts the timestamp. In this case, the timestamp is the time that the snmptrapd server received the trap. This stanza also ensures that Splunk knows how to parse the time format.

Deploy this configuration to your heavy forwarder, indexer, and search heads.

transforms.conf

Add the following stanza to the local version of transforms.conf: 

[snmptrapd_kv]
DELIMS = "\n","="

This stanza extracts all key-value pairs in the SNMP trap. Deploy this configuration to your heavy forwarder, indexer, and/or search heads.

default.meta.conf

Add the following stanza to the local version of default.meta.conf: 

[]
access = read : [ * ], write : [ admin ]
export = system

This stanza includes a local.meta.conf file in the ITSI application that exports permissions to the system. Deploy this configuration on your search heads.

Step 5: Enable the SNMP correlation search and aggregation policy

ITSI provides the following default correlation search and aggregation policy for processing SNMP traps:

SNMP Traps

A default correlation search that generates a notable event for each SNMP trap received through Splunk.

Default SNMP Policy

A default notable event aggregation policy that aggregates individual SNMP trap events into episodes in Episode Review.

  1. To enable the correlation search, click Configuration > Correlation Searches and enable the SNMP Traps search in the Status column.
  2. To enable the aggregation policy, click Configuration > Notable Event Aggregation Policies and enable the Default SNMP Policy in the Status column.