Hi,
I am running
Kibana 4.3.0
logstash 2.0.0
elasticsearch 2.4.5
Here is my logstash config for snmp traps:
input {
snmptrap {
type => "snmptrap"
host => "0.0.0.0"
port => 162
}
}
filter{
ruby {
code => "
event.to_hash.keys.each { |k| event[ k.gsub('.','_') ] = event.remove(k) if k.include?'.' }
"
}
}
output {
elasticsearch { hosts => ["127.0.0.1:9200"] }
stdout { codec => rubydebug }
}
I am able to see SNMP trap messages on stdout
{
"message" => "#<SNMP::SNMPv2_Trap:0x391f0422 @error_index=0, @varbind_list=[#<SNMP::VarBind:0x691212ae @value=#<SNMP::TimeTicks:0x21889366 @value=17030767>, @name=[1.3.6.1.2.1.1.3.0]>, #<SNMP::VarBind:0xd851ebd @value=[1.3.6.1.4.1.22420.2.14.0.0.1], @name=[1.3.6.1.6.3.1.1.4.1.0]>, #<SNMP::VarBind:0x1e67c664 @value=#<SNMP::Gauge32:0x2f11ded4 @value=661>, @name=[1.3.6.1.4.1.22420.2.14.1.3.2.0]>], @error_status=0, @request_id=907477978, @source_ip=\"10.91.140.99\">",
"host" => "10.91.140.99",
"@version" => "1",
"@timestamp" => "2017-06-09T10:42:10.993Z",
"type" => "snmptrap",
"SNMPv2-MIB::sysUpTime_0" => "1 day, 23:18:27.67",
"SNMPv2-MIB::snmpTrapOID_0" => "SNMPv2-SMI::enterprises.22420.2.14.0.0.1",
"SNMPv2-SMI::enterprises_22420_2_14_1_3_2_0" => "661"
}
But these messages are not visible to Kibana. I do have similar setup for syslog which is working very well and I am able to see messages in Kibana.
here is my logstash syslog config:
input {
tcp {
port => 514
type => syslog
}
udp {
port => 514
type => syslog
}
}
filter {
if [type] == "syslog" {
grok {
match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}" }
add_field => [ "received_at", "%{@timestamp}" ]
add_field => [ "received_from", "%{host}" ]
}
date {
match => [ "syslog_timestamp", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ]
}
}
}
output {
elasticsearch { hosts => ["127.0.01:9200"] }
stdout { codec => rubydebug }
}
and messages on stdout are like:
{
"message" => "<174>Jun 9 15:18:51 10.91.142.100 Mediation: [ID 127899 local5.info] MESSAGE= Discovery in progress ; TARGET= 10.91.123.56; CONDITION_TYPE= NEMGMT511; USER= Manager_for_6k_OM5k_and_CPL ",
"@version" => "1",
"@timestamp" => "2017-06-09T09:48:51.000Z",
"host" => "10.91.142.103",
"type" => "syslog",
"syslog_timestamp" => "Jun 9 15:18:51",
"syslog_hostname" => "10.91.142.100",
"syslog_program" => "Mediation",
"syslog_message" => "[ID 127899 local5.info] MESSAGE= Discovery in progress ; TARGET= 10.91.123.56; CONDITION_TYPE= NEMGMT511; USER= Manager_for_6k_OM5k_and_CPL ",
"received_at" => "2017-06-09T09:48:38.261Z",
"received_from" => "10.91.142.103"
}
Please guide what can I do to fix the problem with SNMP traps. and what should I query in elastic search wrt to SNMP traps.
Regards,
-Manish