We were able to get access to Ciscos product labs where I could (remotely) access some of their high-end hardware, and I was able to test the SNMP collector against the Nexus series 3000, 5000, and 7000 switches.In Part 2 Ill explain just a few of the things you can do with that data once its in Splunk.
In fact, we considered gathering data via Netconf instead of SNMP, but determined that since our goals were read-only, and SNMP is everywhere (not to mention that the modular input was already written), we would go that route. You have two choices: you can set a community string (which lets anyone query the device if they know the string), or you can set up SNMP v3 usernames and passwords. The configuration is fully documented (with examples) in the configuration guide (this is the Nexus 7000 one), including how to use v3 users with passwords and groups for authorization. Nexus 3000 Configuration Example Download The AppropriateOf course, while I was writing this, v3 support arrived in the latest release of the Splunk SNMP Modular Input, so all you have to do is get the latest version, and then download the appropriate pyCrypto package for your Splunk server to enable it. If there are none configured, youll need to use SNMP v3 or create a community. It ships with the core SNMP MIBs pre-defined, of course, but in order to get custom CISCO information, youll need their MIB definitions. You can download the Cisco MIBs from their SNMP Object Navigator and compile them yourself using commands like this. Nexus 3000 Configuration Example Update Them FromAlso, please note that I did this conversion in November 2013 the older these get, the more likely it is that you should update them from Ciscos source. Regardless of where you get them, you can either compile them into an egg for your particular platform, or just drop the loose.py files into the snmptabinmibs folder. In my case, because I hadnt worked with this Modular Input before, I configured one via the UI, and then copied it and edited it to configure all the other devices I needed to monitor. Note that you have to list the MIBs that will be loaded for parsing the data, and the community string, and give each stanza a name that will help you identify it when you see it in the logs. All told, as a developer, determining which OIDs to query for the information you need is something I never quite felt I had a handle on, and its clearly a steep learning curve (as youll see below, I still have several more mibnames listed than Im actually querying in the objectnames). In the examples above I am doing bulk get queries of tables using SNMP v2C, and splitting the output. This results in a raw event in splunk for each field of data, which (as youll see) meant I had to pull the events back together in my queries. In the listing above Ive shortened the list of MIB names and shown the object names as OID values (for the sake of formatting on the blog if you check out the github project youll find them spelled out as text, but either way works. Theres a lot more information available, including temperatures (which are a good way of detecting potential problems before they become catastrophes) but this is just an example, and the data Im querying here should work with any switch or router that works with SNMP. All other brand names, product names, or trademarks belong to their respective owners.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |