Constructing snmp input for logstash

ksarpong · June 26, 2019, 7:25pm

Newbie here, can someone outline how I'd parse construct the inputs for log example below in Logstash? I replaced some sensitive info like real ip address etc

Sat Jun 22 03:43:35 2019 - SNMPV1TRAP sent - 10.10.10.10:162 public - .1.3.6.1.4.1.6324.2.1 i 146002674 .1.3.6.1.4.1.6324.2.2 s MY-ROUTER-R1 (172.32.33.34) pp_cp: QFP:0.0 Thread:001 TS:00003555265902986061 %IPSEC-3-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet, dest_addr= 172.32.50.8, src_addr= 172.32.50.9, prot= 17 .1.3.6.1.4.1.6324.2.3 s MY-ROUTER-R1 .1.3.6.1.4.1.6324.2.4 s 172.32.33.34 .1.3.6.1.4.1.6324.2.5 i 1 .1.3.6.1.4.1.6324.2.6 s pp_cp: QFP:0.0 Thread:001 TS:00003555265902986061 %IPSEC-3-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet, dest_addr= 172.32.50.8, src_addr= 172.32.50.9, prot= 17 .1.3.6.1.4.1.6324.2.7 s User VarBind 1 .1.3.6.1.4.1.6324.2.8 s User VarBind 2 .1.3.6.1.4.1.6324.2.9 s my_tool to ABX .1.3.6.1.4.1.6324.2.10 s my_tool to ABX - Trapent1 .1.3.6.1.4.1.6324.2.11 s Alarm Group:Agent:Node .1.3.6.1.4.1.6324.2.12 s Profile Type:Unspecified .1.3.6.1.4.1.6324.2.13 s Organizational:Unspecified .1.3.6.1.4.1.6324.2.14 s Geographic:Unspecified .1.3.6.1.4.1.6324.2.15 s TEAM/Engineers:Unspecified .1.3.6.1.4.1.6324.2.16 s 1 .1.3.6.1.4.1.6324.2.17 s 2 .1.3.6.1.4.1.6324.2.18 s Sat, 22 Jun 2019 03:43:24 -0500 .1.3.6.1.4.1.6324.2.19 i 1004984 .1.3.6.1.4.1.6324.2.20 s ABCDE-3-PLATFORM (nc,clog) .1.3.6.1.4.1.6324.2.21 s User VarBind 3

Badger · June 26, 2019, 8:54pm

Please edit and format your post. It looks like the forum software has eaten some underscores, and I cannot tell what else it might have eaten. This might help with the formatting.

Are you using an snmp input? I would expect to get structured data in the events if you were. Or are you parsing a log where some device is dumping traps in a not so structured format?

ksarpong · June 26, 2019, 11:21pm

snmp input as in a plugin or the input section of the *.conf file? No to the former and yes to the latter. I am attempting to parse a log where a monitoring server is dumping traps in a the format shown in my example. BTW that's exactly how it's dumping the file. No missing underscores. Appreciate your assisance!

Badger · June 27, 2019, 12:32am

How does the device specify an italic font for " Organizational: Unspecified"

ksarpong · June 27, 2019, 12:16pm

That's just cosmetic metadata honestly, it was expecting an organisation, like say "STORAGE"

ksarpong · June 28, 2019, 4:34pm

We're good...it helps to read documentation

system · July 26, 2019, 4:34pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.