Hi Team,
I have a issues in collecting the traps from the logstash. please help me out what is the issues in the given below script.
input {
snmptrap {
type => "snmptrap"
host => "10.10.100.19" #logstashserver ip
port => 1062 #firewall port snmp traps
community => "airo" #firewall community
}
}
filter {
if [type] == "snmptrap" {
grok {
match => { "message" => "%{GREEDYDATA:snmptrap_data}" }
}
mutate {
add_field => {
"trap_oid" => "%{[snmptrap][trap_oid]}"
"trap_ip" => "%{[snmptrap][host_ip]}"
"trap_community" => "%{[snmptrap][community]}"
"trap_data" => "%{snmptrap_data}"
}
}
json {
source => "trap_data"
target => "snmptrap_parsed"
remove_field => ["message", "trap_data"]
}
}
}
output {
stdout {
codec => rubydebug
}
}
Output is empty not coming anything.
root@prom:/etc/logstash/conf.d# /usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/trapc.conf --debug --verbose
Using system java: /usr/bin/java
OpenJDK 64-Bit Server VM warning: Option UseConcMarkSweepGC was deprecated in version 9.0 and will likely be removed in a future release.
/usr/share/logstash/vendor/bundle/jruby/3.1.0/gems/concurrent-ruby-1.1.9/lib/concurrent-ruby/concurrent/executor/java_thread_pool_executor.rb:13: warning: method redefined; discarding old to_int
/usr/share/logstash/vendor/bundle/jruby/3.1.0/gems/concurrent-ruby-1.1.9/lib/concurrent-ruby/concurrent/executor/java_thread_pool_executor.rb:13: warning: method redefined; discarding old to_f
WARNING: Could not find logstash.yml which is typically located in $LS_HOME/config or /etc/logstash. You can specify the path using --path.settings. Continuing using the defaults
Could not find log4j2 configuration at path /usr/share/logstash/config/log4j2.properties. Using default config which logs errors to the console
[WARN ] 2024-05-23 05:29:30.298 [main] runner - NOTICE: Running Logstash as superuser is not recommended and won't be allowed in the future. Set 'allow_superuser' to 'false' to avoid startup errors in future releases.
[WARN ] 2024-05-23 05:29:30.309 [main] runner - DEPRECATION WARNING: The flag ["--debug"] has been deprecated, please use "--log.level=debug" instead.
[WARN ] 2024-05-23 05:29:30.309 [main] runner - DEPRECATION WARNING: The flag ["--verbose"] has been deprecated, please use "--log.level=info" instead.
[INFO ] 2024-05-23 05:29:30.310 [main] runner - Starting Logstash {"logstash.version"=>"8.13.0", "jruby.version"=>"jruby 9.4.5.0 (3.1.4) 2023-11-02 1abae2700f OpenJDK 64-Bit Server VM 11.0.22+7-post-Ubuntu-0ubuntu222.04.1 on 11.0.22+7-post-Ubuntu-0ubuntu222.04.1 +indy +jit [x86_64-linux]"}
[INFO ] 2024-05-23 05:29:30.313 [main] runner - JVM bootstrap flags: [-Xms1g, -Xmx1g, -XX:+UseConcMarkSweepGC, -XX:CMSInitiatingOccupancyFraction=75, -XX:+UseCMSInitiatingOccupancyOnly, -Djava.awt.headless=true, -Dfile.encoding=UTF-8, -Djruby.compile.invokedynamic=true, -XX:+HeapDumpOnOutOfMemoryError, -Djava.security.egd=file:/dev/urandom, -Dlog4j2.isThreadContextMapInheritable=true, -Dlogstash.jackson.stream-read-constraints.max-string-length=200000000, -Dlogstash.jackson.stream-read-constraints.max-number-length=10000, -Djruby.regexp.interruptible=true, -Djdk.io.File.enableADS=true, --add-opens=java.base/java.security=ALL-UNNAMED, --add-opens=java.base/java.io=ALL-UNNAMED, --add-opens=java.base/java.nio.channels=ALL-UNNAMED, --add-opens=java.base/sun.nio.ch=ALL-UNNAMED, --add-opens=java.management/sun.management=ALL-UNNAMED, -Dio.netty.allocator.maxOrder=11]
[INFO ] 2024-05-23 05:29:30.315 [main] runner - Jackson default value override logstash.jackson.stream-read-constraints.max-string-length configured to 200000000
[INFO ] 2024-05-23 05:29:30.315 [main] runner - Jackson default value override logstash.jackson.stream-read-constraints.max-number-length configured to 10000
[WARN ] 2024-05-23 05:29:30.586 [LogStash::Runner] multilocal - Ignoring the 'pipelines.yml' file because modules or command line options are specified
[INFO ] 2024-05-23 05:29:31.735 [Api Webserver] agent - Successfully started Logstash API endpoint {:port=>9600, :ssl_enabled=>false}
[INFO ] 2024-05-23 05:29:32.598 [Converge PipelineAction::Create] Reflections - Reflections took 170 ms to scan 1 urls, producing 132 keys and 468 values
/usr/share/logstash/vendor/bundle/jruby/3.1.0/gems/amazing_print-1.6.0/lib/amazing_print/formatter.rb:37: warning: previous definition of cast was here
[INFO ] 2024-05-23 05:29:33.355 [Converge PipelineAction::Create] javapipeline - Pipeline main is configured with pipeline.ecs_compatibility: v8 setting. All plugins in this pipeline will default to ecs_compatibility => v8 unless explicitly configured otherwise.
[WARN ] 2024-05-23 05:29:33.392 [[main]-pipeline-manager] grok - ECS v8 support is a preview of the unreleased ECS v8, and uses the v1 patterns. When Version 8 of the Elastic Common Schema becomes available, this plugin will need to be updated
[INFO ] 2024-05-23 05:29:33.528 [[main]-pipeline-manager] javapipeline - Starting pipeline {:pipeline_id=>"main", "pipeline.workers"=>4, "pipeline.batch.size"=>125, "pipeline.batch.delay"=>50, "pipeline.max_inflight"=>500, "pipeline.sources"=>["/etc/logstash/conf.d/trapc.conf"], :thread=>"#<Thread:0x2327b965 /usr/share/logstash/logstash-core/lib/logstash/java_pipeline.rb:134 run>"}
[INFO ] 2024-05-23 05:29:34.972 [[main]-pipeline-manager] javapipeline - Pipeline Java execution initialization time {"seconds"=>1.44}
[INFO ] 2024-05-23 05:29:34.992 [[main]-pipeline-manager] snmptrap - ECS compatibility is enabled but target option was not specified. This may cause fields to be set at the top-level of the event where they are likely to clash with the Elastic Common Schema. It is recommended to set the target option to avoid potential schema conflicts (if your data is ECS compliant or non-conflicting, feel free to ignore this message)
[INFO ] 2024-05-23 05:29:34.993 [[main]-pipeline-manager] javapipeline - Pipeline started {"pipeline.id"=>"main"}
[INFO ] 2024-05-23 05:29:35.001 [[main]<snmptrap] snmptrap - It's a Trap! {:Port=>1062, :Community=>["airo"], :Host=>"10.10.100.19"}
[INFO ] 2024-05-23 05:29:35.024 [Agent thread] agent - Pipelines running {:count=>1, :running_pipelines=>[:main], :non_running_pipelines=>}