Jump to content

SNMP info regarding F5

Cowboy Denny

Recommended Posts

How to add user


How to verify..

verify what IP address SNMP query will see run the following on F5 to find out ( is the SNMP source that is querying the F5)
ip route get via dev mgmt  src

In the above example: the source ( needs to be querying the F5 at


verify F5 is seeing snmp queries with snmp v3 user c0wboy

On F5 Device: tcpdump -ni 0.0:nnn -s0 port 161 | grep "c0wboy"

On Jumpbox (or device in SNMP allowed list) run: 

SNMP v3:  snmpget -v 3 -u c0wboy -a SHA -A snmp\!auth\-pwd\! -x AES -X snmpprivpwd -l authPriv sysSystemUptime.0

SNMP v2: snmpwalk -v 2c -c Public F5-BIGIP-SYSTEM-MIB::sysSystemUptime.0

NOTE: password must use \ to escape special characters.



Link to comment
Share on other sites

  • 1 month later...

I've been tasked with sending specific text to our SPLUNK from our F5 devices every hour.  So let's walk through on how to do that.

This "task" is broken up into a few sections/to do's

  • Create Script that will run snmp create entry with specific text
  • VALIDATE you can see specific text in SPLUNK
  • Add script to crontab on F5 to run every hour
  • SPLUNK check for specific text and if not receive 3 entries of specific text in 3hrs then send alert.


TEST box, do you see SNMP entries for the past 24hrs?
index="infra_network" sourcetype="f5:bigip:syslog" usdet2slbtst0*


IDENTIFY the SNMP command needed to send text to SPLUNK using netcat

COMMAND: echo '<0><descriptive message>' | nc -w 1 -u <IP_address_of_syslog_server> <port_of_syslog_server>

EXAMPLE: echo '<0>netcat test message for Cowboy' | nc -w 1 -u 514

If it doesn't work the most common error you get is: Ncat: Could not resolve hostname " 514": Name or service not known. QUITTING

If it does work it should look similar to the below image


You can also do tests with netcat to see if TCP and/or UDP ports are open by running the same command as above but just a little different.  Let me show you:

TCP Test: echo "<14>Cowboy Test TCP syslog message" >> /dev/tcp/

UDP Test: echo "<14>Cowboy Test UDP syslog message" >> /dev/udp/

After running both commands above, I then search splunk for a unique word in my message like Cowboy, I see only UDP made it so TCP isn't supported



IDENTIFY the SNMP command needed to send text to SPLUNK using logger

COMMAND: logger -p <facility>.<level> "<descriptive message>"

EXAMPLE: logger -p local0.notice "logger test message for Cowboy"



Add script to crontab to run the SNMP command to run every hour on the hour

crontab -e

0 * * * * echo '<0>netcat hourly big-ip test message' | nc -w 1 -u 514


Confirm you see message coming into SPLUNK

Example of my query for my environment: index="infra_network" sourcetype="f5:bigip:syslog" host=txsat1slbdv0* "big-ip test message"

Link to comment
Share on other sites

  • Create New...