snmp and splunk
TRANSCRIPT
![Page 1: SNMP and splunk](https://reader035.vdocument.in/reader035/viewer/2022081414/588773531a28ab22358b6d1b/html5/thumbnails/1.jpg)
CSUG September 2015splunk> + SNMP
![Page 2: SNMP and splunk](https://reader035.vdocument.in/reader035/viewer/2022081414/588773531a28ab22358b6d1b/html5/thumbnails/2.jpg)
About Me
Ashley Hartge (https://au.linkedin.com/in/ashleyhartge)
Not a professional speaker / presenter
19+ years full-time in the IT Industry7+ years in Managed Network
Security spaceSenior Network Security EngineerVerizon – Global Commercial MSS
Providersplunk> user since 2009 (personal &
prof.)Active Verizon splunk> evangelist
(APAC & US)
![Page 3: SNMP and splunk](https://reader035.vdocument.in/reader035/viewer/2022081414/588773531a28ab22358b6d1b/html5/thumbnails/3.jpg)
The Journey … Verizon - Global Commercial MSS Provider In-House SIEM product for many years Legacy selection of pre-canned reports Increasing need for dynamic ad/hoc reports
Internal & Customer driven Difficult & rigid ETL process (release cycles) Any changes need development / release work Manually craft DB Query -> CSV -> Pivot
table…… Needed reporting at the speed of thought
![Page 4: SNMP and splunk](https://reader035.vdocument.in/reader035/viewer/2022081414/588773531a28ab22358b6d1b/html5/thumbnails/4.jpg)
The Journey …
Using splunk for home / lab networks … why not see what can be done for our reports …
Old SOC workstationDownload & install splunk eval Ingest a day’s incidentsBuild reportsBlow management’s mind with
visibilitySplunk grabs a foothold …. The rest
is history
![Page 5: SNMP and splunk](https://reader035.vdocument.in/reader035/viewer/2022081414/588773531a28ab22358b6d1b/html5/thumbnails/5.jpg)
Agenda
Secondary use-case after deploying splunk
IT Ops | CMDB | Process Auditing | Tracking
Basic SNMP polling using splunk>Distributed deployment with remote
collectionLarge scale scripted collection
![Page 6: SNMP and splunk](https://reader035.vdocument.in/reader035/viewer/2022081414/588773531a28ab22358b6d1b/html5/thumbnails/6.jpg)
Basic SNMP Polling with splunk>
Simplest deployment of single instance directly polling end device
![Page 7: SNMP and splunk](https://reader035.vdocument.in/reader035/viewer/2022081414/588773531a28ab22358b6d1b/html5/thumbnails/7.jpg)
Install SNMP Modular Input
https://splunkbase.splunk.com/app/1537/
![Page 8: SNMP and splunk](https://reader035.vdocument.in/reader035/viewer/2022081414/588773531a28ab22358b6d1b/html5/thumbnails/8.jpg)
Configure Input
![Page 9: SNMP and splunk](https://reader035.vdocument.in/reader035/viewer/2022081414/588773531a28ab22358b6d1b/html5/thumbnails/9.jpg)
Distributed Deployment
Expand our single instance, with forwarders remotely collecting SNMP data
![Page 10: SNMP and splunk](https://reader035.vdocument.in/reader035/viewer/2022081414/588773531a28ab22358b6d1b/html5/thumbnails/10.jpg)
Install Forwarders
Setup Receiving port on Indexer
Install Forwarder
![Page 11: SNMP and splunk](https://reader035.vdocument.in/reader035/viewer/2022081414/588773531a28ab22358b6d1b/html5/thumbnails/11.jpg)
Install Forwarders
Configure Forwarding to your indexer
Unzip & Install SNMP Modular input on Universal Forwarder
![Page 12: SNMP and splunk](https://reader035.vdocument.in/reader035/viewer/2022081414/588773531a28ab22358b6d1b/html5/thumbnails/12.jpg)
Configure snmp_ta/local/inputs.confConfigure /local/inputs.conf on
Forwarder with community string & OIDs for polling.
![Page 13: SNMP and splunk](https://reader035.vdocument.in/reader035/viewer/2022081414/588773531a28ab22358b6d1b/html5/thumbnails/13.jpg)
Displaying Results
Restart forwarder & verify events being received
Create tags to give recognisable names to the hosts (this could also be done within the input or a lookup)
![Page 14: SNMP and splunk](https://reader035.vdocument.in/reader035/viewer/2022081414/588773531a28ab22358b6d1b/html5/thumbnails/14.jpg)
Displaying Results
Run a simple search on the sourcetype to see if we are getting data (SNMP was configured to poll the device every minute).
Notice our host tags we configured
![Page 15: SNMP and splunk](https://reader035.vdocument.in/reader035/viewer/2022081414/588773531a28ab22358b6d1b/html5/thumbnails/15.jpg)
Displaying Results
Quick & Dirty regex to show TEMP & HUMIDITY from our sensors
![Page 16: SNMP and splunk](https://reader035.vdocument.in/reader035/viewer/2022081414/588773531a28ab22358b6d1b/html5/thumbnails/16.jpg)
But I don’t like/know regexUse splunk field extractor
![Page 17: SNMP and splunk](https://reader035.vdocument.in/reader035/viewer/2022081414/588773531a28ab22358b6d1b/html5/thumbnails/17.jpg)
Extracting values
![Page 18: SNMP and splunk](https://reader035.vdocument.in/reader035/viewer/2022081414/588773531a28ab22358b6d1b/html5/thumbnails/18.jpg)
Extracting values
The values are provided by the sensors but need to be divided by 10 & rounded
Solution = calculated field
![Page 19: SNMP and splunk](https://reader035.vdocument.in/reader035/viewer/2022081414/588773531a28ab22358b6d1b/html5/thumbnails/19.jpg)
Extracting “value”
![Page 20: SNMP and splunk](https://reader035.vdocument.in/reader035/viewer/2022081414/588773531a28ab22358b6d1b/html5/thumbnails/20.jpg)
Extracting “value”
![Page 21: SNMP and splunk](https://reader035.vdocument.in/reader035/viewer/2022081414/588773531a28ab22358b6d1b/html5/thumbnails/21.jpg)
Large scale scripted collection
Python script to poll 1000’s of devices, output to CSV, scp to splunk server, index CSV into splunk
![Page 22: SNMP and splunk](https://reader035.vdocument.in/reader035/viewer/2022081414/588773531a28ab22358b6d1b/html5/thumbnails/22.jpg)
SNMP with Python fabricCompile a list of SNMP OIDs that provide the values we want from each platform, then use python script to connect to management stations, snmp poll the devices & return the result into CSV file – which is scp to the Indexer
'fortigate': {'hostname': '1.3.6.1.2.1.1.5.0', 'uptime': '1.3.6.1.2.1.1.3.0', 'model': 'SNMPv2-SMI::mib-2.47.1.1.1.1.10.1', 'version': 'SNMPv2-SMI::enterprises.12356.101.4.1.1.0', 'serial': '1.3.6.1.4.1.12356.100.1.1.1.0', 'avsig': '1.3.6.1.4.1.12356.101.4.2.1.0', 'idssig': '1.3.6.1.4.1.12356.101.4.2.2.0', 'go': True}
'paloalto': {'model': '1.3.6.1.4.1.25461.2.1.2.2.1.0', 'version': '1.3.6.1.4.1.25461.2.1.2.1.1.0', 'uptime': '1.3.6.1.2.1.1.3.0', 'serial': '.1.3.6.1.4.1.25461.2.1.2.1.3.0', 'avsig': '1.3.6.1.4.1.25461.2.1.2.1.8.0', 'idssig': '1.3.6.1.4.1.25461.2.1.2.1.9.0', 'go': True}
'cisco-asa-ssm': {'hostname': 'SNMPv2-MIB::sysName.0', 'uptime': 'HOST-RESOURCES-MIB::hrSystemUptime.0', 'model': 'SNMPv2-SMI::mib-2.47.1.1.1.1.13.1', 'version': 'SNMPv2-SMI::enterprises.9.9.383.1.4.20.0', 'serial': 'SNMPv2-SMI::mib-2.47.1.1.1.1.11.1', 'license': 'SNMPv2-SMI::enterprises.9.9.383.1.4.22.00', 'idssig': 'SNMPv2-SMI::enterprises.9.9.383.1.4.21.0', 'go': True}
![Page 23: SNMP and splunk](https://reader035.vdocument.in/reader035/viewer/2022081414/588773531a28ab22358b6d1b/html5/thumbnails/23.jpg)
SNMP with Python fabric
Splunk easily ingests CSV data Because our output file does NOT
contain CSV header names on the first row – we pre-create a sourcetype, naming our columns
props.conf
transforms.conf
![Page 24: SNMP and splunk](https://reader035.vdocument.in/reader035/viewer/2022081414/588773531a28ab22358b6d1b/html5/thumbnails/24.jpg)
SNMP with Python fabric
Create an input to monitor the csv
![Page 25: SNMP and splunk](https://reader035.vdocument.in/reader035/viewer/2022081414/588773531a28ab22358b6d1b/html5/thumbnails/25.jpg)
Enrichment / Lookups
Vendor signature release details (scrape)
![Page 26: SNMP and splunk](https://reader035.vdocument.in/reader035/viewer/2022081414/588773531a28ab22358b6d1b/html5/thumbnails/26.jpg)
Cisco IPS Signature & Versions
![Page 27: SNMP and splunk](https://reader035.vdocument.in/reader035/viewer/2022081414/588773531a28ab22358b6d1b/html5/thumbnails/27.jpg)
Fortigate IPS & Versions
![Page 28: SNMP and splunk](https://reader035.vdocument.in/reader035/viewer/2022081414/588773531a28ab22358b6d1b/html5/thumbnails/28.jpg)
Palo Alto IPS & Versions
![Page 29: SNMP and splunk](https://reader035.vdocument.in/reader035/viewer/2022081414/588773531a28ab22358b6d1b/html5/thumbnails/29.jpg)
Next Steps
Dynamic Python Input Files | inputlookup asset | table ip, snmp_community, platform
| outputlookup fabricsource.csv
Dynamically deploy to forwarders Deployment server to push input file to
forwarder Scripted inputs on forwarders to replace
cron job(s) & csv-fu
![Page 30: SNMP and splunk](https://reader035.vdocument.in/reader035/viewer/2022081414/588773531a28ab22358b6d1b/html5/thumbnails/30.jpg)
Single Pane of Glass