Logstash snmptrap dynamic fields with ruby

Hi everyone,

i have a problem with dynamic fields. i saw a few topics but they are not useful for me.

when you use logstash as snmptrap receiver, you will see that datas are not a static values. They will change when source changed.

Example: when trap came from Fa0/1 interface field like SNMP:SMI:Ifindex.1 and from Fa0/2 SNMP:SMI:Ifindex.2

it is a problem when i work with logstash.

İ tried some ruby codes but i am not good at ruby so much.

Can you help me how can remove dynamic section in dynamic fileds ?

filter
        {
                ruby
                        {
                                code => "
                                                hash = event.to_hash;
                                                hash.each do |k,v|;
                                                        if v =~ /.\d+/
                                                                event.remove(v)
                                                        end
                                                end
                                        "
                        }

That is trap message:

{
                   "SNMPv2-MIB::snmpTrapOID.0" => "BRIDGE-MIB::topologyChange",
    "DISMAN-EXPRESSION-MIB::sysUpTimeInstance" => "205 days, 21:40:58.24",
            "VTP-MIB::vtpVlanIndexVlanID.3002" => "3002",
                                  "@timestamp" => 2017-01-12T07:56:45.143Z,
                                        "host" => "172.26.44.65",
                                    "@version" => "1",
                                     "message" => "#<SNMP::SNMPv2_Trap:0x25e80829 @request_id=36, @error_index=0, @error_status=0, @source_ip=\"172.26.44.65\", @varbind_list=[#<SNMP::VarBind:0x64d50212 @name=[1.3.6.1.2.1.1.3.0], @value=#<SNMP::TimeTicks:0x3037bba7 @value=1779005824>>, #<SNMP::VarBind:0x557b44c8 @name=[1.3.6.1.6.3.1.1.4.1.0], @value=[1.3.6.1.2.1.17.0.2]>, #<SNMP::VarBind:0x4873a3d3 @name=[1.3.6.1.4.1.9.9.46.1.3.1.1.1.1.3002], @value=#<SNMP::Integer:0x4fafd5d @value=3002>>, #<SNMP::VarBind:0x91d94e6 @name=[1.3.6.1.2.1.31.1.1.1.1.10027], @value=\"Fa0/27\">]>",
                        "IF-MIB::ifName.10027" => "Fa0/27",
                                        "tags" => []
}

i want to remove .3002 section with its main section.

"VTP-MIB::vtpVlanIndexVlanID.3002" => "3002"
"VTP-MIB::vtpVlanIndexVlanID" => "3002"

and finally it is going to work all dynamic variable.

"VTP-MIB::vtpVlanIndexVlanID" => "1"
"VTP-MIB::vtpVlanIndexVlanID" => "500"

or

"IF-MIB::ifName.10027" => "Fa0/27"

"IF-MIB::ifName" => "Fa0/27"
"IF-MIB::ifName" => "Fa0/35"

Best regards.

I try this code but i always take ruby exception.

i cant figure out how to work these ruby codes.

ruby {
      code => "
        event['Item'].each_value {|value|
          value.each_pair { |key, val|
            event[key]=val
           }
         }
  "
}

i couldn't alter dynamic field. But i stored information in dynamic field as array.

ruby
		{
			code => "
					array=Array.new;
					event.to_hash.values.each { |v| array.push(v);};
					event.set('eventid',array[0]);
					event.set('vlanid',array[2]);
					event.set('portid',array[9]);
					temp=Time.new;
					temp=temp.localtime.strftime ('%d %B %Y %H:%M:%S.%L %z' );
					event.set('timeid',temp);
					"
			add_tag => "Topo_Change"
}

the code above reply ccan be wrong when key values changed their position.

i fixed this problem with this modification:

if [SNMPv2-MIB::snmpTrapOID.0] == "BRIDGE-MIB::topologyChange"
                                {
                                                ruby
                                                        {
                                                                code => "
                                                                                v_array=Array.new;
                                                                                i=0;
                                                                                event.to_hash.values.each { |v| v_array.push(v); i=i+1;};
                                                                                i=0;
                                                                                j=0;
                                                                                event.to_hash.keys.each { |k| event.set('vlanid',v_array[i]) if k.include?'VTP-MIB::vtpVlanIndexVlanID';
                                                                                event.set('portid',v_array[j]) if k.include?'IF-MIB::ifName';
                                                                                j=j+1; i=i+1;
                                                                };
                                                                                temp=Time.new;
                                                                                temp=temp.localtime.strftime ('%d %B %Y %H:%M:%S.%L %z' );
                                                                                event.set('timeid',temp);
                                                                                "
                                                                add_tag => "Topo_Change"
                                                                add_field => { "eventid" => "Topology_Change" }
}

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.