Logstash - Collecting SNMP data from network devices

hendry.lim · December 26, 2022, 12:52pm

we confirm the device are connected properly with our ELK cluster server where we install the logstash.

Would you be able to elaborate on this?

How did you test/verify this exactly?

I hope you are not confused between snmp and snmptrap input.

snmp input is used to connect Logstash to network devices, i.e. the network connection direction is outbound from Logstash and inbound into the network devices.

While snmptrap is the reverse of the snmp input.

From your statement, I presume you are expecting connection from the network devices into Logstash, not the other way around.

muhammad-murad.nagoo · December 27, 2022, 9:20am

Yes, we are expecting the snmp logs from devices to LS. The flow should network devices ---> Logstash ---> Elastic Cloud.

The config as below :

input {
snmp {
# The SNMP host to connect to
hosts => [{host => "udp:10.1.133.250/161" community => "Private"}]
get => ["1.3.6.1.2.1.1.1.0", "1.3.6.1.2.1.1.3.0", "1.3.6.1.2.1.1.5.0"]
}
}

output {
elasticsearch {
# The Elasticsearch host to connect to
cloud_id => ["dXMtY2VudHJhbDEuZ2NwLmNsb3VkLmVzLmlvOjQ0MyQyZDNjMjJkYWEzZWQ0ZTczYmM3OGZjOWVlNzE3ZDNiNiQ4XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX=="]
cloud_auth => "elastic:R618RKOpsoXXXXXXXXXXXXXXXXl"

# The index to use for the collected data
index => "snmp"

}
}

Its means my config is wrong? the input should be the output and same for output ?

For clarifying the connection, we are using the Frameflow to check the connection.

Appreciate your insight on this.

hendry.lim · December 28, 2022, 5:12am

Did you run FrameFlow on the same host where you run Logstash?

I noticed the community is not public on the FrameFlow screen.

I would also suggest to try to run snmpget or snmpwalk tool on Windows to test the connectivity.

Rios · December 28, 2022, 6:23am

You are on good path.You will need MIBs and replace get => ["1.3.6.1.2.1.1.1.0", "1.3.6.1.2.1.1.3.0", "1.3.6.1.2.1.1.5.0"] with your values which will FrameFlow show up.

Use the get option to query for scalar values for the given OID(s). One or more OID(s) are specified as an array of strings of OID(s).

muhammad-murad.nagoo · January 3, 2023, 9:40am

Yes Sir, the same host.

I tried public, then private then the value i found in the frameflow apps

Sure, will run and update the result

muhammad-murad.nagoo · January 3, 2023, 9:41am

The OID's are same. Look like its the default value.

Will add MIB's and try.

system · January 31, 2023, 9:41am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.