Help to parse snmp inpunt

Elastic Stack Logstash
1

Hallo to all ,
i need a help to parsing an snmp input , extract some variable and put them in to a files.
SNMP INPUT :
{
"SNMPv2-SMI::enterprises.193.110.2.666.1.1.2.1.6.10.65.67.84.73.86.65.84.73.79.78.2101.5" => "TRAP TEST - MONITORAGGIO .",
"SNMPv2-SMI::enterprises.193.110.2.666.1.2.2.1.10.10.65.67.84.73.86.65.84.73.79.78.11.7.226.9.18.15.46.11.5.43.2.0.125" => "1.1.1.1.2.1.0.192.168.0.7",
"DISMAN-EXPRESSION-MIB::sysUpTimeInstance" => "161 days, 04:18:43.37",
"SNMPv2-MIB::snmpTrapOID.0" => "ERICSSON-SNF-ALARM-MIB::snfAlarmActiveState",
"SNMPv2-SMI::enterprises.193.110.2.666.1.2.2.1.11.10.65.67.84.73.86.65.84.73.79.78.11.7.226.9.18.15.46.11.5.43.2.0.125" => "TRAP TEST - MONITORAGGIO .",
"ERICSSON-SNF-ALARM-MIB::snfAlarmActiveOriginatingSource.10.65.67.84.73.86.65.84.73.79.78.11.7.226.9.18.15.46.11.5.43.2.0.125" => "192.168.0.8",
"ERICSSON-SNF-ALARM-MIB::snfAlarmActiveDateAndTime.10.65.67.84.73.86.65.84.73.79.78.11.7.226.9.18.15.46.11.5.43.2.0.125" => "\a\xE2\t\x12\x0F.\v\x05+\x02\x00",
"ERICSSON-SNF-ALARM-MIB::snfAlarmActiveSeverity.10.65.67.84.73.86.65.84.73.79.78.11.7.226.9.18.15.46.11.5.43.2.0.125" => "4",
"ERICSSON-SNF-ALARM-MIB::snfAlarmActiveOriginatingSourceType.10.65.67.84.73.86.65.84.73.79.78.11.7.226.9.18.15.46.11.5.43.2.0.125" => "1",
"SNMPv2-SMI::enterprises.193.110.2.667.1.1.1.1.3.10.65.67.84.73.86.65.84.73.79.78.2101.4" => "22",
"host" => "10.197.0.181",
"tags" => [
[0] "snmptrapALERT"
],
"@timestamp" => 2018-10-26T13:53:30.717Z,
"type" => "snmptrap",
"SNMPv2-SMI::enterprises.193.110.2.667.1.1.1.1.2.10.65.67.84.73.86.65.84.73.79.78.2101.4" => "2",
"@version" => "1",
"ERICSSON-SNF-ALARM-MIB::snfAlarmActiveModelIndex.10.65.67.84.73.86.65.84.73.79.78.11.7.226.9.18.15.46.11.5.43.2.0.125" => "1321",
"ERICSSON-SNF-ALARM-MIB::snfAlarmActiveSequenceNumber.10.65.67.84.73.86.65.84.73.79.78.11.7.226.9.18.15.46.11.5.43.2.0.125" => "125",
"ERICSSON-SNF-ALARM-MIB::snfAlarmActiveListName.10.65.67.84.73.86.65.84.73.79.78.11.7.226.9.18.15.46.11.5.43.2.0.125" => "TRAP TEST - MONITORAGGIO .",
"message" => "#<SNMP::SNMPv2_Trap:0x49af460f @request_id=676271799, @error_index=0, @error_status=0, @source_ip="10.197.0.181", @varbind_list=[#<SNMP::VarBind:0x63bb1821 @name=[1.3.6.1.2.1.1.3.0], @value=#<SNMP::TimeTicks:0x6b550818 @value=1392592337>>, #<SNMP::VarBind:0x2bae1d63 @name=[1.3.6.1.6.3.1.1.4.1.0], @value=[1.3.6.1.4.1.193.110.2.10.2.0.1]>, #<SNMP::VarBind:0x5bb3f87 @name=[1.3.6.1.4.1.193.110.2.666.1.1.2.1.6.10.65.67.84.73.86.65.84.73.79.78.2101.5], @value="TRAP TEST - MONITORAGGIO .">, #<SNMP::VarBind:0x6a0ab5dd @name=[1.3.6.1.4.1.193.110.2.666.1.2.2.1.10.10.65.67.84.73.86.65.84.73.79.78.11.7.226.9.18.15.46.11.5.43.2.0.125], @value=[1.1.1.1.2.1.0.192.168.0.7]>, #<SNMP::VarBind:0x29dc754c @name=[1.3.6.1.4.1.193.110.2.666.1.2.2.1.11.10.65.67.84.73.86.65.84.73.79.78.11.7.226.9.18.15.46.11.5.43.2.0.125], @value="TRAP TEST - MONITORAGGIO .">, #<SNMP::VarBind:0x72c23011 @name=[1.3.6.1.4.1.193.110.2.667.1.1.1.1.2.10.65.67.84.73.86.65.84.73.79.78.2101.4], @value=#<SNMP::Integer:0x2ed97ec9 @value=2>>, #<SNMP::VarBind:0x11c28292 @name=[1.3.6.1.4.1.193.110.2.667.1.1.1.1.3.10.65.67.84.73.86.65.84.73.79.78.2101.4], @value=#<SNMP::Integer:0x5b7ef3f3 @value=22>>, #<SNMP::VarBind:0x385f0235 @name=[1.3.6.1.4.1.193.110.2.10.1.10.1.10.10.65.67.84.73.86.65.84.73.79.78.11.7.226.9.18.15.46.11.5.43.2.0.125], @value="TRAP TEST - MONITORAGGIO .">, #<SNMP::VarBind:0x5d951cc1 @name=[1.3.6.1.4.1.193.110.2.10.1.10.1.11.10.65.67.84.73.86.65.84.73.79.78.11.7.226.9.18.15.46.11.5.43.2.0.125], @value=#<SNMP::Integer:0x58c6c3f3 @value=1321>>, #<SNMP::VarBind:0x748b4273 @name=[1.3.6.1.4.1.193.110.2.10.1.10.1.12.10.65.67.84.73.86.65.84.73.79.78.11.7.226.9.18.15.46.11.5.43.2.0.125], @value=#<SNMP::Integer:0x3405b87d @value=4>>, #<SNMP::VarBind:0x4103d928 @name=[1.3.6.1.4.1.193.110.2.10.1.10.1.2.10.65.67.84.73.86.65.84.73.79.78.11.7.226.9.18.15.46.11.5.43.2.0.125], @value="\a\xE2\t\x12\x0F.\v\x05+\x02\x00">, #<SNMP::VarBind:0x2fb453a0 @name=[1.3.6.1.4.1.193.110.2.10.1.10.1.16.10.65.67.84.73.86.65.84.73.79.78.11.7.226.9.18.15.46.11.5.43.2.0.125], @value=#<SNMP::Integer:0x18214ff @value=1>>, #<SNMP::VarBind:0x185d92e2 @name=[1.3.6.1.4.1.193.110.2.10.1.10.1.17.10.65.67.84.73.86.65.84.73.79.78.11.7.226.9.18.15.46.11.5.43.2.0.125], @value="192.168.0.8">, #<SNMP::VarBind:0x47c8d258 @name=[1.3.6.1.4.1.193.110.2.10.1.10.1.18.10.65.67.84.73.86.65.84.73.79.78.11.7.226.9.18.15.46.11.5.43.2.0.125], @value=#<SNMP::Counter32:0x4a6cb052 @value=125>>]>"
}

for example , i need to work with the variable ERICSSON-SNF-ALARM-MIB::snfAlarmActiveModelIndex , in the real the variable is compost with ERICSSON-SNF-ALARM-MIB::snfAlarmActiveModelIndex + OID, the first part is common for all , the second part (OID) change, so my first work is find , with regexp , the correct variable i think

"ERICSSON-SNF-ALARM-MIB::snfAlarmActiveModelIndex.10.65.67.84.73.86.65.84.73.79.78.11.7.226.9.18.15.46.11.5.43.2.0.125" => "1321"

ERROR_CODE = ${ERICSSON-SNF-ALARM-MIB::snfAlarmActiveModelIndex*}

thank you for all

2

ok I did parse the variable with grok debugger

ad ex
"SNMPv2-MIB::snmpTrapOID.0" => %{GREEDYDATA:state}
"ERICSSON-SNF-ALARM-MIB::snfAlarmActiveOriginatingSource.*" => "%{IPV4:ipsource}"

but i have error with logstash

match => { "message" => "SNMPv2-MIB::snmpTrapOID.0" => %{GREEDYDATA:state} }

3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.