Cowboy Denny Posted November 21, 2022 Share Posted November 21, 2022 How to add user How to verify.. verify what IP address SNMP query will see run the following on F5 to find out (10.47.178.99 is the SNMP source that is querying the F5) ip route get 10.47.178.99 10.47.178.99 via 10.47.200.1 dev mgmt src 10.47.200.203 cache In the above example: the source (10.47.178.99) needs to be querying the F5 at 10.47.200.203 verify F5 is seeing snmp queries with snmp v3 user c0wboy On F5 Device: tcpdump -ni 0.0:nnn -s0 port 161 | grep "c0wboy" On Jumpbox (or device in SNMP allowed list) run: SNMP v3: snmpget -v 3 -u c0wboy -a SHA -A snmp\!auth\-pwd\! -x AES -X snmpprivpwd -l authPriv 10.47.200.203 sysSystemUptime.0 SNMP v2: snmpwalk -v 2c -c Public 10.47.200.203 F5-BIGIP-SYSTEM-MIB::sysSystemUptime.0 NOTE: password must use \ to escape special characters. .. Link to comment Share on other sites More sharing options...
Cowboy Denny Posted January 10 Author Share Posted January 10 I've been tasked with sending specific text to our SPLUNK from our F5 devices every hour. So let's walk through on how to do that. This "task" is broken up into a few sections/to do's Create Script that will run snmp create entry with specific text VALIDATE you can see specific text in SPLUNK Add script to crontab on F5 to run every hour SPLUNK check for specific text and if not receive 3 entries of specific text in 3hrs then send alert. STEP1 TEST box, do you see SNMP entries for the past 24hrs? index="infra_network" sourcetype="f5:bigip:syslog" usdet2slbtst0* YES STEP2 IDENTIFY the SNMP command needed to send text to SPLUNK using netcat COMMAND: echo '<0><descriptive message>' | nc -w 1 -u <IP_address_of_syslog_server> <port_of_syslog_server> EXAMPLE: echo '<0>netcat test message for Cowboy' | nc -w 1 -u 10.47.147.214 514 If it doesn't work the most common error you get is: Ncat: Could not resolve hostname "10.47.147.214 514": Name or service not known. QUITTING If it does work it should look similar to the below image You can also do tests with netcat to see if TCP and/or UDP ports are open by running the same command as above but just a little different. Let me show you: TCP Test: echo "<14>Cowboy Test TCP syslog message" >> /dev/tcp/10.47.147.214/514 UDP Test: echo "<14>Cowboy Test UDP syslog message" >> /dev/udp/10.47.147.214/514 After running both commands above, I then search splunk for a unique word in my message like Cowboy, I see only UDP made it so TCP isn't supported IDENTIFY the SNMP command needed to send text to SPLUNK using logger COMMAND: logger -p <facility>.<level> "<descriptive message>" EXAMPLE: logger -p local0.notice "logger test message for Cowboy" STEP3 Add script to crontab to run the SNMP command to run every hour on the hour crontab -e 0 * * * * echo '<0>netcat hourly big-ip test message' | nc -w 1 -u 10.47.147.214 514 STEP4 Confirm you see message coming into SPLUNK Example of my query for my environment: index="infra_network" sourcetype="f5:bigip:syslog" host=txsat1slbdv0* "big-ip test message" Link to comment Share on other sites More sharing options...
Recommended Posts