Logstash: parsing snmp traps

(Roberto ) #1

Hello All,

At this moment, all the traps that i received in Logstash that have the error code, will write in elastic and in a file:
output {
if [type] == "snmptrap" {
elasticsearch { hosts => ["myhost.domain.com:9200"]
user => user
password => pass
index => "logstash-snmp-%{+YYYY.MM.dd}"
if [snmp OID] =="ERROR" {
file {
path => "/var/spool/logstash/snmp.log"
codec => json_lines {}

How i can parsing the snmp trap before write in the output file??

Thanks for your help,

Logstash: parsing snmp traps ( continue...)
(Magnus Bäck) #2

You're not describing in what way you want it parsed so it's impossible to help. What do your SNMP events currently look like? How would you like them to look instead?

(Roberto ) #3

Hello magnus,
Thanks a lot for your respond,
What i want is, write in a file ( "/var/spool/logstash/snmp.log" ) if the "SNMPv2-SMI::enterprises.] =="ERROR"", but in a " human" language, because now, doing this:
file {
path => "/var/spool/logstash/snmp.log"
codec => json_lines {}
In the file are all the SNMP trap information with all the OIDs, and my goal is change the all the "SNMPv2-SMI::enterprises." by a string like:
mutate {
gsub => [
# replace all forward slashes with underscore
"message", "SNMPv2-SMI::enterprises.", "CLUSTER_ID"

Thanks a lot for your help.

(Magnus Bäck) #4

That mutate filter looks like something that could work (but you should escape the periods since they are metacharacters in regexps). What are you having trouble with?

For best results avoid describing what you want to accomplish. Show examples instead, like what an event looks like now (using a stdout { codec => rubydebug } output) and what the desired outcome.

(system) #5

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.