At this moment, all the traps that i received in Logstash that have the error code, will write in elastic and in a file:
output {
if [type] == "snmptrap" {
elasticsearch { hosts => ["myhost.domain.com:9200"]
user => user
password => pass
index => "logstash-snmp-%{+YYYY.MM.dd}"
}
if [snmp OID] =="ERROR" {
file {
path => "/var/spool/logstash/snmp.log"
codec => json_lines {}
}
}
}
How i can parsing the snmp trap before write in the output file??
You're not describing in what way you want it parsed so it's impossible to help. What do your SNMP events currently look like? How would you like them to look instead?
Hello magnus,
Thanks a lot for your respond,
What i want is, write in a file ( "/var/spool/logstash/snmp.log" ) if the "SNMPv2-SMI::enterprises.2.6.212.10.1.5] =="ERROR"", but in a " human" language, because now, doing this:
file {
path => "/var/spool/logstash/snmp.log"
codec => json_lines {}
}
In the file are all the SNMP trap information with all the OIDs, and my goal is change the all the "SNMPv2-SMI::enterprises.2.6.212.10.1.X" by a string like:
filter{
mutate {
gsub => [
# replace all forward slashes with underscore
"message", "SNMPv2-SMI::enterprises.2.6.212.10.1.1", "CLUSTER_ID"
]
}
}
That mutate filter looks like something that could work (but you should escape the periods since they are metacharacters in regexps). What are you having trouble with?
For best results avoid describing what you want to accomplish. Show examples instead, like what an event looks like now (using a stdout { codec => rubydebug } output) and what the desired outcome.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.