Post on 14-Apr-2017
CSUG September 2015splunk> + SNMP
About Me
Ashley Hartge (https://au.linkedin.com/in/ashleyhartge)
Not a professional speaker / presenter
19+ years full-time in the IT Industry7+ years in Managed Network
Security spaceSenior Network Security EngineerVerizon – Global Commercial MSS
Providersplunk> user since 2009 (personal &
prof.)Active Verizon splunk> evangelist
(APAC & US)
The Journey … Verizon - Global Commercial MSS Provider In-House SIEM product for many years Legacy selection of pre-canned reports Increasing need for dynamic ad/hoc reports
Internal & Customer driven Difficult & rigid ETL process (release cycles) Any changes need development / release work Manually craft DB Query -> CSV -> Pivot
table…… Needed reporting at the speed of thought
The Journey …
Using splunk for home / lab networks … why not see what can be done for our reports …
Old SOC workstationDownload & install splunk eval Ingest a day’s incidentsBuild reportsBlow management’s mind with
visibilitySplunk grabs a foothold …. The rest
is history
Agenda
Secondary use-case after deploying splunk
IT Ops | CMDB | Process Auditing | Tracking
Basic SNMP polling using splunk>Distributed deployment with remote
collectionLarge scale scripted collection
Basic SNMP Polling with splunk>
Simplest deployment of single instance directly polling end device
Install SNMP Modular Input
https://splunkbase.splunk.com/app/1537/
Configure Input
Distributed Deployment
Expand our single instance, with forwarders remotely collecting SNMP data
Install Forwarders
Setup Receiving port on Indexer
Install Forwarder
Install Forwarders
Configure Forwarding to your indexer
Unzip & Install SNMP Modular input on Universal Forwarder
Configure snmp_ta/local/inputs.confConfigure /local/inputs.conf on
Forwarder with community string & OIDs for polling.
Displaying Results
Restart forwarder & verify events being received
Create tags to give recognisable names to the hosts (this could also be done within the input or a lookup)
Displaying Results
Run a simple search on the sourcetype to see if we are getting data (SNMP was configured to poll the device every minute).
Notice our host tags we configured
Displaying Results
Quick & Dirty regex to show TEMP & HUMIDITY from our sensors
But I don’t like/know regexUse splunk field extractor
Extracting values
Extracting values
The values are provided by the sensors but need to be divided by 10 & rounded
Solution = calculated field
Extracting “value”
Extracting “value”
Large scale scripted collection
Python script to poll 1000’s of devices, output to CSV, scp to splunk server, index CSV into splunk
SNMP with Python fabricCompile a list of SNMP OIDs that provide the values we want from each platform, then use python script to connect to management stations, snmp poll the devices & return the result into CSV file – which is scp to the Indexer
'fortigate': {'hostname': '1.3.6.1.2.1.1.5.0', 'uptime': '1.3.6.1.2.1.1.3.0', 'model': 'SNMPv2-SMI::mib-2.47.1.1.1.1.10.1', 'version': 'SNMPv2-SMI::enterprises.12356.101.4.1.1.0', 'serial': '1.3.6.1.4.1.12356.100.1.1.1.0', 'avsig': '1.3.6.1.4.1.12356.101.4.2.1.0', 'idssig': '1.3.6.1.4.1.12356.101.4.2.2.0', 'go': True}
'paloalto': {'model': '1.3.6.1.4.1.25461.2.1.2.2.1.0', 'version': '1.3.6.1.4.1.25461.2.1.2.1.1.0', 'uptime': '1.3.6.1.2.1.1.3.0', 'serial': '.1.3.6.1.4.1.25461.2.1.2.1.3.0', 'avsig': '1.3.6.1.4.1.25461.2.1.2.1.8.0', 'idssig': '1.3.6.1.4.1.25461.2.1.2.1.9.0', 'go': True}
'cisco-asa-ssm': {'hostname': 'SNMPv2-MIB::sysName.0', 'uptime': 'HOST-RESOURCES-MIB::hrSystemUptime.0', 'model': 'SNMPv2-SMI::mib-2.47.1.1.1.1.13.1', 'version': 'SNMPv2-SMI::enterprises.9.9.383.1.4.20.0', 'serial': 'SNMPv2-SMI::mib-2.47.1.1.1.1.11.1', 'license': 'SNMPv2-SMI::enterprises.9.9.383.1.4.22.00', 'idssig': 'SNMPv2-SMI::enterprises.9.9.383.1.4.21.0', 'go': True}
SNMP with Python fabric
Splunk easily ingests CSV data Because our output file does NOT
contain CSV header names on the first row – we pre-create a sourcetype, naming our columns
props.conf
transforms.conf
SNMP with Python fabric
Create an input to monitor the csv
Enrichment / Lookups
Vendor signature release details (scrape)
Cisco IPS Signature & Versions
Fortigate IPS & Versions
Palo Alto IPS & Versions
Next Steps
Dynamic Python Input Files | inputlookup asset | table ip, snmp_community, platform
| outputlookup fabricsource.csv
Dynamically deploy to forwarders Deployment server to push input file to
forwarder Scripted inputs on forwarders to replace
cron job(s) & csv-fu
Single Pane of Glass