Making SNMP Simpler

Overview

From Wikipedia :

Simple Network Management Protocol (SNMP) is an “Internet-standard protocol for managing devices on IP networks”. Devices that typically support SNMP include routers, switches, servers, workstations, printers, modem racks, and more.

SNMP exposes management data in the form of variables on the managed systems.

The variables accessible via SNMP are organized in hierarchies. These hierarchies, and other metadata (such as type and description of the variable), are described by Management Information Bases (MIBs).

MIBs describe the structure of the management data of a device subsystem; they use a hierarchical namespace containing object identifiers (OID). Each OID identifies a variable that can be read or set via SNMP. MIBs use the notation defined by ASN.1.

SNMP agents can also send notifications , called Traps , to an SNMP trap listening daemon.

Splunking SNMP Data

SNMP represents an incredibly rich source of data that you can get into Splunk for visibility across a very diverse IT landscape.

For as long as I have been involved with Splunk , one of the most recurring requests on Splunkbase answers and in conversations has been ” how do I get my SNMP data into Splunk ? “.

And whilst there has always been a way , it has involved cobbling together a few different steps.

For polling SNMP variables this has typically involved writing a custom scripted input utilizing an existing program or library under the hood , such as snmpget or pysnmp.

And for capturing SNMP traps the approach has been to run a trap daemon such as snmptrapd on your Splunk server to capture the trap, dump it to a file and have Splunk monitor the file.

I think there is a much simpler way , a way that is more natively integrated into Splunk by implementing SNMP data collection in a Splunk Modular Input.

So myself and my colleague Scott Spencer set about doing just that.

SNMP Modular Input

The SNMP Modular Input allows you to configure your connections to your SNMP devices , poll attribute values and capture traps. It has no external dependencies , all of the functionality is built into the Modular Input and it will run on all supported Splunk platforms.

Features overview

• Simple UI based configuration via Splunk Manager
• Capture SNMP traps (Splunk becomes a SNMP trap daemon in its own right)
• Poll SNMP object attributes
• Declare objects to poll in textual or numeric format
• Ships with a wide selection of standard industry MIBs
• Add in your own Custom MIBs
• Walk object trees using GET BULK
• Optionally index bulk results as individual events in Splunk
• Monitor 1 or more Objects per stanza
• Create as many SNMP input stanzas as you require
• IPv4 and IPv6 support
• Indexes SNMP events in key=value semantic format
• Ships with some additional custom field extractions

SNMP version support

SNMP V1 & V2c support are currently implemented. SNMP V3 is in the pipeline. So you don’t need to email me requesting this

Implementation

The Modular Input is implemented in Python and under the hood  pysnmp is used as the library upon which the Modular Input is written.

Getting started

Browse to Splunkbase and download the SNMP Modular Input

To install , you simply just untar it to SPLUNK_HOME/etc/apps and restart Splunk.

Configuration

Login to SplunkWeb and browse to Manager->Data Inputs->SNMP->New and setup your input stanza

View the SNMP inputs you have setup

Searching

You can then search over the SNMP data that gets indexed. In the example below, in addition to the SNMPv2-MIB,  I have also loaded in the Interface MIB (IF-MIB) to resolve the IF-MID OID names and values to their textual representation.

A note about MIBs

Many industry standard MIBs ship with the Modular Input.
You can see which MIBs are available by looking in SPLUNK_HOME/etc/apps/snmp_ta/bin/mibs/pysnmp_mibs-0.1.4-py2.7.egg

Any additional custom MIBs need to be converted into Python Modules.

You can simply do this by using the build-pysnmp-mib tool that is part of the pysnmp installation

build-pysnmp-mib -o SOME-CUSTOM-MIB.py SOME-CUSTOM-MIB.mib

build-pysnmp-mib is just a wrapper around smidump.

So alternatively you can also execute :

smidump  -f  python <mib-text-file.txt> | libsmi2pysnmp > <mib-text-file.py>

Then “egg” up your python MIB modules and place them in SPLUNK_HOME/etc/apps/snmp_ta/bin/mibs

In the configuration screen for the SNMP input in Splunk Manager , there is a field called “MIB Names” (see above).
Here you can specify the MIB names you want applied to the SNMP input definition ie: IF-MIB,DNS-SERVER-MIB,BRIDGE-MIB
The MIB Name is the same as the name of the MIB python module in your egg package.

This is all just an interim measure until pysnmp supports plain text MIB files, a development feature in the pipeline for pysnmp.
When that feature is ready , all you will have to do is drop the plain text MIB in the SPLUNK_HOME/etc/apps/snmp_ta/bin/mibs and the  SNMP Modular Input will do the rest. Watch this space !

What’s next

Now it’s your turn…go and download the Modular Input, plug it in and Splunk some SNMP data . I’d love to hear your feedback about any way to make it better and even simpler.And as mentioned , SNMP Version 3 support is coming.

----------------------------------------------------
Thanks!
Damien Dallimore