Logstash SNMP plugin not polling all OIDs

Hi,

I'm setting up a logstash that has a snmp input plugin and an elasticsearch output.

Everything works except 1 specific OID, I checked and the OID has data and it is available. I ca't figure out why he is not polling this 1 specific OID, google was no help.

Here is my logstash pipeline input plugin:

input{
    #input of palo alto firewall logs - SNMPv3 over udp/port
    snmp{
        id => "paloalto"
        ecs_compatibility => "v8"

        #store SNMP payload under [snmp] to avoid root clashes under ECS
        target => "snmp"

    #Palo Alto Firewall host
    hosts => [{host => "udp:<host/port>" community => "<community string>" version => "3"}]

    #v3 - security
   <hidden as this part works and don't want to share to much info>

    #OIDs
    oid_mapping_format => "default"
#oid_mapping_format => "ruby_snmp"
#oid_mapping_format => "dotted_string"
get => [
        "1.3.6.1.4.1.25461.2.1.2.1.11.0",    	#Node HA mode
        "1.3.6.1.4.1.25461.2.1.2.1.12.0",    	#Peer HA node
        "1.3.6.1.2.1.25.2.2.0",              	#Memory
        "1.3.6.1.4.1.25461.2.1.2.3.1.0",     	#Session Statistics
        "1.3.6.1.2.1.25.1.1.0",              	#System Uptime
        "1.3.6.1.4.1.25461.2.1.2.5.1.1.0"   	#Gateway Statistics
    ]
    walk => [
        "1.3.6.1.4.1.25461.2.1.2.6.1.3.1.2",	#Disk free
        "1.3.6.1.2.1.99.1.1",                	#PhysSensor: (2) / CPU die Temperature
        "1.3.6.1.2.1.2.2.1.2",               	#Traffic 64bit 
        "1.3.6.1.2.1.2.2.1.10",			#Traffic 64bit ifInOctets
        "1.3.6.1.2.1.2.2.1.16"			#Traffic 64bit ifOutOctets
    ]
    #polling happens every 30 seconds
    interval => 30
}
}

Any help is appreciated, i'm currently trying with the ai assistant but no luck ther either.

The OID not working is: "1.3.6.1.2.1.25.2.2.0"

Kind regards,

Tom

Are you able to get this using snmpwalk or snmpget in the CLI?

Another idea is to make simplifier cloned .conf with basic "get" request value which is missing, without any filtering and show in output stdout ruby debug or a file.

snmpwalk in cli gives the following: %Failed to get value of SNMP variable. Timeout.

Got no output in my file. used the same input config but only polled the 1 specific OID. no filtering and a file as output.

Hmm.. Can you accept all traffic from that host,without subtree OIDs? I might be PAlto not sending all data.

Edit: A silly question does your device support snmpv3?

what do you mean with 'accept all traffic' ? do you mean outside of logstash using an snmpwalk or snmpget command in cli?

not a silly question: but yes it supports v3. As all other OIDs do work i see no issue there. I also use a second pipeline for Cisco switch snmp data where i use version v2c there everything works except again 1 specific OID. I did some research online and find that the snmp logstash plugin has some limitations. maybe some OIDs are not queryable for the plugin?

Accept all traffic/SNMP message for OID 1.3.6.1.2.1.25.2.0, including subtrees or from brothers/siblings.

...
get => [ "1.3.6.1.2.1.25.2.0"] # or for  1.3.6.1.2.1.25.2.3.1 or 1.3.6.1.2.1.25.1.0
...

Is only one host which you query?

Was this executed from the same machine where logstash is running to rule out any network blocking?

If you cannot get the information using snmpwalk then I don't think this is an issue in Logstash.

Try to confirm it, do a snmpwalk or snmpget using one of the OIDs that you are receving through logstash, than test with the one that is not working again.

If you can get the first, but not the second, then Logstash would also not be able to get the second OID.