These docs are for Cribl Stream 4.10 and are no longer actively maintained.
See the latest version (4.13).
SNMP Trap Source
Cribl Stream supports receiving data from SNMP Traps.
Type: Push | TLS Support: NO | Event Breaker Support: No
Configure Cribl Stream to Receive SNMP Traps
Cribl Stream, except in Cribl.Cloud, ships with an SNMP Trap Source preconfigured to listen on port
9162. You can clone or directly modify this Source to further configure it, and then enable it.
In Cribl Stream, configure SNMP Traps:
- On the top bar, select Products, and then select Cribl Stream. Under Worker Groups, select a Worker Group. Next, you have two options:
- To configure via QuickConnect, navigate to Routing > QuickConnect (Stream) or Collect (Edge). Select Add Source and select the Source you want from the list, choosing either Select Existing or Add New.
- To configure via the Routes, select Data > Sources (Stream) or More > Sources (Edge). Select the Source you want. Next, select Add Source.
- In the New Source modal, configure the following under General Settings:
- Input ID: Enter a unique name to identify this Source definition. The default Source is prefilled with the value
in_snmp_trap. which can’t be changed via the UI. If you clone this Source, Cribl Stream will add-CLONEto the original Input ID. - Description: Optionally, enter a description.
- Address: Address to bind on. Defaults to
0.0.0.0(all addresses). - UDP Port: Port on which to receive SNMP traps. Defaults to
162.Sending large numbers of UDP events per second can cause Cribl.Cloud to drop some of the data. This results from restrictions of the UDP protocol.
To minimize the risk of data loss, deploy a customer-managed (hybrid) Stream Worker Group with Worker Nodes as close as possible to the UDP senders. Cribl also recommends tuning the OS UDP buffer size.
- Input ID: Enter a unique name to identify this Source definition. The default Source is prefilled with the value
- Next, you can configure the following Optional Settings:
- Tags: Optionally, add tags that you can use to filter and group Sources in Cribl Stream’s UI. These tags aren’t added to processed events. Use a tab or hard return between (arbitrary) tag names.
- Optionally, you can adjust the Authentication, Persistent Queue Settings, Processing and Advanced settings, or Connected Destinations outlined in the sections below.
- Select Save, then Commit & Deploy.
Authentication Settings
SNMPv3 authentication provides secure access to devices through optional user authentication and decryption of incoming data packets. Cribl Stream lets you choose any of the following levels of security:
- User name checking without authentication.
- User authentication without privacy.
- User authentication with privacy.
SNMPv3 authentication: Toggle on to enable SNMPv3 authentication and reveal authentication parameters. Default is toggled off.
Allow unmatched traps: Toggle on to pass through traps that don’t match any of the configured users. Cribl Stream will not attempt to authenticate or decrypt these traps. When toggled off (default), Cribl Stream drops traps without a correctly configured user name.
v3 Name: Enter the SNMPv3 user name (required). Multiple users are supported.
You must configure at least one user to enable SNMPv3 authentication. If desired, you can enter separate user credentials for each SNMPv3 user. The authentication protocol, authentication key, privacy protocol, and privacy key can be unique for each user.
For authentication to succeed, the user name and authentication protocol and key must match in the Source and the sending device configuration.
For decryption to succeed, the user name, authentication protocol and key, and the privacy protocol and key must match in the Source and the sending device configuration.
Authentication protocol: Select the authentication protocol required for your use case. If you select None, Cribl Stream will only check the user name without authenticating the user or decrypting the data. Otherwise, Cribl Stream uses the authentication protocol you specify and the key you provide to authenticate the user.
Options include:
NoneMD5SHA1SHA224SHA256SHA384SHA512
v3 authentication key: Enter the authentication key.
Choosing an authentication protocol also allows you to select an optional privacy protocol to decrypt incoming packets.
Cribl Stream logs authentication failures at the debug level.
Privacy protocol: Select the privacy protocol required for your use case. If you select None, Cribl Stream authenticates the user without decrypting the incoming data. Otherwise, Cribl Stream uses the privacy protocol you specify and the key you provide to decrypt the data.
Options include:
NoneAES128AES256b (Blumenthal)AES2556r (Reeder)
For every successfully decrypted trap, Cribl Stream adds __didDecrypt: true to the Event. Cribl Stream logs decryption failures at the debug level.
v3 privacy key: Enter the privacy key.
Add user: Click to add a new set of user credentials for SNMPv3 authentication.
Persistent Queue Settings
In the Persistent Queue Settings tab, you can optionally specify persistent queue storage, using the following controls. Persistent queue buffers and preserves incoming events when a downstream Destination has an outage or experiences backpressure.
Before enabling persistent queue, learn more about persistent queue behavior and how to optimize it with your system:
On Cribl-managed Cloud Workers (with an Enterprise plan), this tab exposes only the Enable Persistent Queue toggle. If enabled, PQ is automatically configured in
Always Onmode, with a maximum queue size of 1 GB disk space allocated per PQ‑enabled Source, per Worker Process.The 1 GB limit is on uncompressed inbound data, and the queue does not perform any compression. This limit is not configurable. For configurable queue size, compression, mode, and other options below, use a hybrid Group.
Enable Persistent Queue: Default is toggled off. When toggled on:
Mode: Select a condition for engaging persistent queues.
Always On: This default option will always write events to the persistent queue, before forwarding them to the Cribl Stream data processing engine.Smart: This option will engage PQ only when the Source detects backpressure from the Cribl Stream data processing engine.
Smartmode only engages when necessary, such as when a downstream Destination becomes blocked and the Max buffer size reaches its limit. When persistent queue is set toSmartmode, Cribl attempts to flush the queue when every new event arrives. The only time events stay in the buffer is when a downstream Destination becomes blocked.
Max buffer size: The maximum number of events to hold in memory before reporting backpressure to the sender and writing the queue to disk. Defaults to 1000. This buffer is for all connections, not just per Worker Process. For that reason, this can dramatically expand memory usage. Connections share this limit, which may result in slightly lower throughput for higher numbers of connections. For higher numbers of connections, consider increasing the limit.
Commit frequency: The number of events to send downstream before committing that Stream has read them. Defaults to 42.
Max file size: The maximum data volume to store in each queue file before closing it and (optionally) applying the configured Compression. Enter a numeral with units of KB, MB, and so forth. If not specified, Cribl Stream applies the default 1 MB.
Max queue size: The maximum amount of disk space that the queue is allowed to consume on each Worker Process. Once this limit is reached, this Source will stop queueing data and block incoming data. Required, and defaults to 5 GB. Accepts positive numbers with units of KB, MB, GB, and so forth. Can be set as high as 1 TB, unless you’ve configured a different Worker Process PQ size limit in Group/Fleet settings.
Queue file path: The location for the persistent queue files. Defaults to $CRIBL_HOME/state/queues. To this field’s specified path, Cribl Stream will append /<worker-id>/inputs/<input-id>.
Compression: Optional codec to compress the persisted data after a file closes. Defaults to None; Gzip is also available.
In Cribl Stream 4.1 and later, the Source persistent queue default Mode is
Always on, to best ensure events’ delivery. For details on optimizing this selection, see Optimize Source Persistent Queues (sPQ).You can optimize Workers’ startup connections and CPU load at Group/Fleet settings > Worker Processes.
Processing Settings
Fields
In this section, you can add Fields to each event using Eval-like functionality.
Name: Field name.
Value: JavaScript expression to compute field’s value, enclosed in quotes or backticks. (Can evaluate to a constant.)
Pre-Processing
In this section’s Pipeline drop-down list, you can select a single existing Pipeline or Pack to process data from this input before the data is sent through the Routes.
Advanced Settings
Include varbind types: Toggle on to include varbind types in the varbinds field on each event. This is required for the SNMP Trap Serialize Function to serialize compliant events into SNMP traps before sending them to an SNMP Trap Destination. The field is parsed to an array of objects like, [{oid: string, value: any, type: number}]. Off by default.
IP allowlist regex: Regex matching IP addresses that are allowed to send data. Defaults to .*, that is, all IPs.
Max buffer size (events): Maximum number of events to buffer when downstream is blocking. Defaults to 1000.
UDP socket buffer size (bytes): Optionally, set the SO_RCVBUF socket option for the UDP socket. This value tells the operating system how many bytes can be buffered in the kernel before events are dropped. Leave blank to use the OS default. Min: 256. Max: 4294967295.
It may also be necessary to increase the size of the buffer available to the SO_RCVBUF socket option. Consult the documentation for your operating system for a specific procedure.
Setting this value will affect OS memory utilization.
Environment: If you’re using GitOps, optionally use this field to specify a single Git branch on which to enable this configuration. If empty, the config will be enabled everywhere.
Connected Destinations
Select Send to Routes to enable conditional routing, filtering, and cloning of this Source’s data via the Routing table.
Select QuickConnect to send this Source’s data to one or more Destinations via independent, direct connections.
Internal Fields
Cribl Stream uses a set of internal fields to assist in handling of data. These “meta” fields are not part of an event, but they are accessible, and Functions can use them to make processing decisions.
Fields for this Source:
__didDecrypt: Set totruefor every trap that is successfully decrypted.__final__inputId__snmpRaw: Buffer containing Raw SNMP packet__snmpVersion: Acceptable values are0,2, or3. These respectively indicate SNMP v1, v2c, and v3.__srcIpPort: In this particular Source, this field uses a pipe (|) symbol to separate the source IP address and the port, in this format:event.__srcIpPort = ${rInfo.address}|${rInfo.port};_time
Considerations for Working with SNMP Trap Data
It’s possible to work with SNMP metadata (that is, we’ll decode the packet). Options include dropping, routing, and so on.
SNMP packets can be forwarded to other SNMP destinations. However, the contents of the incoming packet cannot be modified – that is, we’ll forward the packets verbatim as they came in.
SNMP packets can be forwarded to non-SNMP destinations (for example, Splunk, Syslog, S3, and so on).
Non-SNMP input data cannot be sent to SNMP destinations.
Troubleshooting
The Source’s configuration modal has helpful tabs for troubleshooting:
Live Data: Try capturing live data to see real-time events as they are ingested. On the Live Data tab, click Start Capture to begin viewing real-time data.
Logs: Review and search the logs that provide detailed information about the ingestion process, including any errors or warnings that may have occurred.
You can also view the Monitoring page that provides a comprehensive overview of data volume and rate, helping you identify ingestion issues. Analyze the graphs showing events and bytes in/out over time.