MIB OID Translation

Dear logstash,

/opt/logstash/vendor/bundle/jruby/1.9/gems/snmp-1.2.0/data/ruby/snmp/mibs containts a venerable treasure trove of pre-converted YAML MIBs. However I have run into an issue:

From Kibana:


The start of the translated YAML MIB from Fortinet below has (it is my understanding) 0. as a shorthand to RFC1155-SMI::enterprises

    fortinet: '0.12356'
    fnCoreMib: 0.12356.100

As you can see part of the OID is translated. Namely into RFC1155-SMI::enterprises.
It stops at .12356 however. This number is registered at IANA http://www.iana.nl/assignments/enterprise-numbers/enterprise-numbers These enterprises arent centralized, meaning there's no MIB for those values. Apparently this number is lookup up by your snmp-manager. Therein lies my problem.

Any way to get the .12356 enterprise number translated by Logstash?

Hi @tom_jonge,

You can import your Vendor's MIBs:

1. Download the import script and place it in the snmp package's root directory.

cd ~/logstash-1.5.4/vendor/bundle/jruby/1.9/gems/snmp-1.2.0/
wget https://raw.githubusercontent.com/hallidave/ruby-snmp/master/import.rb

2. Ensure your OS has the smidump tool installed (yum install libsmi or apt-get install smitools)
3. Download your vendor's .mib file(s) into a directory called mibs
4. Run the import script on the directory

snmp-1.2.0$ ruby import.rb mibs/
snmp-1.2.0$ head data/ruby/snmp/mibs/FORTINET-CORE-MIB.yaml

Let me know if this works,


1 Like

Hi Jay! Thanks for your help.

Got the import working after some problems with dependencies.
This still does not solve my problem though. Enterprise Number is not translated. Stops at RFC1155-SMI::enterprises.12356.

Seems to me that with the FORTINET-CORE-MIB.yaml containing fortinet: it should work.

Just attempted an ugly fix. Deleted the RFC1155-SMI.yaml. Deleted all indexes. Deleted the mapping. Starting fresh.
Still get:


It shouldnt even be able to find anything concerning the RFC1155-SMI::enterprises now that it has been deleted. Where is it getting that mapping from? When creating the default Logstash-* mapping does it look at earlier mappings or something?

Can you make sure that the Fortinet YAML is being loaded? If you run Logstash with --debug, the snmptrap input should output lines like this:

found MIBs: <List of MIBs> 



SNMP Trap listener died {:exception=>#<SocketError: bind: name or service not known>, :backtrace=>["org/jruby/ext/socket/RubyUDPSocket.java:160:in bind'", "/opt/logstash/vendor/bundle/jruby/1.9/gems/snmp-1.2.0/lib/snmp/manager.rb:540:ininitialize'", "/opt/logstash/vendor/bundle/jruby/1.9/gems/snmp-1.2.0/lib/snmp/manager.rb:585:in create_transport'", "/opt/logstash/vendor/bundle/jruby/1.9/gems/snmp-1.2.0/lib/snmp/manager.rb:618:ininitialize'", "/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-input-snmptrap-1.0.0/lib/logstash/inputs/snmptrap.rb:69:in snmptrap_listener'", "/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-input-snmptrap-1.0.0/lib/logstash/inputs/snmptrap.rb:54:inrun'", "/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-core-1.5.4-java/lib/logstash/pipeline.rb:177:in inputworker'", "/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-core-1.5.4-java/lib/logstash/pipeline.rb:171:instart_input'"], :level=>:warn}

Is all I get, which is nonsense since it is binding to the port just fine and SNMP traps are flowing through to Kibana. Logstash user is root so it can use privileged port 162.
Nothing about mibs loaded.

It appears that the debug output is not generated unless this parameter is specified.



input {
 snmptrap {
    port => 162
    community => 'tomtom'
    type => 'snmptrap'
    yamlmibdir => "/opt/logstash/vendor/bundle/jruby/1.9/gems/snmp-1.2.0/data/ruby/snmp/mibs"

This has been defined already. Otherwise it wouldnt have been able to correctly translate part of the OID with the yaml mibs in defined yamlmibdir
Stumbled upon that reference yesterday. Already attempted to get

found MIBs: List of MIBs

By running bin/logstash agent -f /etc/logstash/* --debug

Afraid I get the above mentionered error over and over and nothing else.

Can you provide me with a .pcap format packet capture of the incoming trap (dropbox/s3,etc) ? That will help me to reproduce, if it comes to that.

Also, when I start logstash with snmptrap input, I see considerably more debug output, including the mentioned YAMLs loaded.

bin/logstash --debug -f snmptrap-input-test.cfg
config LogStash::Outputs::Stdout/@exclude_tags = [] {:level=>:debug, :file=>"logstash/config/mixin.rb", :line=>"111", :method=>"config_init"}
config LogStash::Outputs::Stdout/@workers = 1 {:level=>:debug, :file=>"logstash/config/mixin.rb", :line=>"111", :method=>"config_init"}
checking ~/logstash-1.5.4/vendor/bundle/jruby/1.9/gems/snmp-1.2.0/data/ruby/snmp/mibs/ for MIBs {:level=>:info, :file=>"logstash/inputs/snmptrap.rb", :line=>"40", :method=>"register"}

If I run it without the --debug flag, I see output similar to yours.

Please show me the output of:

bin/logstash --version
bin/plugin list --verbose

(still not sure about why we see that Trap listener died - I will investigate that further).

Thanks for the help so far Jay!
Running bin/logstash agent -f /etc/logstash/conf.d/02-input-snmp-udp.conf --debug gives me the below with the Trap Listener died at the end.


So they are being loaded.

1 Like

As requested:

bin/logstash --version
logstash 1.5.4

bin/plugin list --verbose
logstash-codec-collectd (1.0.1)
logstash-codec-dots (1.0.0)
logstash-codec-edn (1.0.0)
logstash-codec-edn_lines (1.0.0)
logstash-codec-es_bulk (1.0.0)
logstash-codec-fluent (1.0.0)
logstash-codec-graphite (1.0.0)
logstash-codec-json (1.0.1)
logstash-codec-json_lines (1.0.1)
logstash-codec-line (1.0.0)
logstash-codec-msgpack (1.0.0)
logstash-codec-multiline (1.0.0)
logstash-codec-netflow (1.0.0)
logstash-codec-oldlogstashjson (1.0.0)
logstash-codec-plain (1.0.0)
logstash-codec-rubydebug (1.0.0)
logstash-filter-anonymize (1.0.0)
logstash-filter-checksum (1.0.1)
logstash-filter-clone (1.0.0)
logstash-filter-csv (1.0.0)
logstash-filter-date (1.0.0)
logstash-filter-dns (1.0.0)
logstash-filter-drop (1.0.0)
logstash-filter-fingerprint (1.0.0)
logstash-filter-geoip (1.0.2)
logstash-filter-grok (1.0.0)
logstash-filter-json (1.0.1)
logstash-filter-kv (1.0.0)
logstash-filter-metrics (1.0.0)
logstash-filter-multiline (1.0.0)
logstash-filter-mutate (1.0.1)
logstash-filter-ruby (1.0.0)
logstash-filter-sleep (1.0.0)
logstash-filter-split (1.0.0)
logstash-filter-syslog_pri (1.0.0)
logstash-filter-throttle (1.0.0)
logstash-filter-urldecode (1.0.0)
logstash-filter-useragent (1.0.1)
logstash-filter-uuid (1.0.0)
logstash-filter-xml (1.0.0)
logstash-input-couchdb_changes (1.0.0)
logstash-input-elasticsearch (1.0.0)
logstash-input-eventlog (1.0.0)
logstash-input-exec (1.0.0)
logstash-input-file (1.0.1)
logstash-input-ganglia (1.0.0)
logstash-input-gelf (1.0.0)
logstash-input-generator (1.0.0)
logstash-input-graphite (1.0.0)
logstash-input-heartbeat (1.0.0)
logstash-input-http (1.0.2)
logstash-input-imap (1.0.0)
logstash-input-irc (1.0.0)
logstash-input-kafka (1.0.0)
logstash-input-log4j (1.0.0)
logstash-input-lumberjack (1.0.4)
logstash-input-pipe (1.0.0)
logstash-input-rabbitmq (1.1.0)
logstash-input-redis (1.0.3)
logstash-input-s3 (1.0.0)
logstash-input-snmptrap (1.0.0)
logstash-input-sqs (1.0.0)
logstash-input-stdin (1.0.0)
logstash-input-syslog (1.0.1)
logstash-input-tcp (1.0.0)
logstash-input-twitter (1.0.1)
logstash-input-udp (1.0.0)
logstash-input-unix (1.0.0)
logstash-input-xmpp (1.0.0)
logstash-input-zeromq (1.0.0)
logstash-output-cloudwatch (1.0.0)
logstash-output-csv (1.0.0)
logstash-output-elasticsearch (1.0.7)
logstash-output-elasticsearch_http (1.0.0)
logstash-output-email (1.0.0)
logstash-output-exec (1.0.0)
logstash-output-file (1.0.0)
logstash-output-ganglia (1.0.0)
logstash-output-gelf (1.0.0)
logstash-output-graphite (1.0.2)
logstash-output-hipchat (1.0.0)
logstash-output-http (1.0.0)
logstash-output-irc (1.0.0)
logstash-output-juggernaut (1.0.0)
logstash-output-kafka (1.0.0)
logstash-output-lumberjack (1.0.2)
logstash-output-nagios (1.0.0)
logstash-output-nagios_nsca (1.0.0)
logstash-output-null (1.0.0)
logstash-output-opentsdb (1.0.0)
logstash-output-pagerduty (1.0.0)
logstash-output-pipe (1.0.0)
logstash-output-rabbitmq (1.1.1)
logstash-output-redis (1.0.0)
logstash-output-s3 (1.0.0)
logstash-output-sns (2.0.1)
logstash-output-sqs (1.0.0)
logstash-output-statsd (1.1.0)
logstash-output-stdout (1.0.0)
logstash-output-tcp (1.0.0)
logstash-output-udp (1.0.0)
logstash-output-xmpp (1.0.0)
logstash-output-zeromq (1.0.0)
logstash-patterns-core (0.3.0)

Ill work on that pcap format packet capture.

Thanks, if you can provide me the exact MIB files you're using as well, that would help.

.mib filetype is unauthorized and pasting it here will exceed character limit.
Using dropbox.

Added a .pcap file to dropbox. https://www.dropbox.com/s/9mftrvbjaq3g3vh/capture.pcap?dl=0Looks a little jumbled to me when viewing with tcpick -C -yP -r capture.pcap.
Let me know if the file is useless.

Just noticed something peculiar in relation to snmp trap listener died. I'm used to running logstash as a service (as per several tutorials). Noticed that with the service stopped, udp6 port 162 is still occupied and snmptraps are still being processed. Somehow logstash is still running.

Have to go, thanks a million for your help so far. Currently suspecting an old zombie java process for Logstash is the culprit. Will continue troubleshooting tomorrow.

OK I was able to reproduce using your MIBs and PCAP, however in my case, the OID was translated! (Go Figure).

  1. I received the same error about the Trap Listener Dying while i was testing as an unprivileged user. As root, the message ceased. That's obviously not what happened in your case, but i just thought i would mention it.
  2. I used the import.rb script to import your MIBs.
  3. I used tcprewrite/tcpreplay to shoot the traps at my listener, and received the following ruby debug output.
                                        "host" => "",
                                    "@version" => "1",
                                  "@timestamp" => "2015-09-22T17:34:42.551Z",
                                        "type" => "snmptrap",
    "DISMAN-EXPRESSION-MIB::sysUpTimeInstance" => "106 days, 01:43:44.15",
                   "SNMPv2-MIB::snmpTrapOID.0" => "FORTINET-CORE-MIB::fortinet.",
            "FORTINET-CORE-MIB::fnSysSerial.0" => "FGT80C3912619162",
                       "SNMPv2-MIB::sysName.0" => "office-fn1",
     "FORTINET-CORE-MIB::fortinet." => "40",
     "FORTINET-CORE-MIB::fortinet." => "",
     "FORTINET-CORE-MIB::fortinet." => "unknown dos attack"

Is this the output you're hoping for? If so, there must be some minor difference between what we are both doing. Would you please use my test config and show me your corresponding output?

input {
        snmptrap {
                    port => 162
                    community => 'tomtom'
                    type => 'snmptrap'
                    yamlmibdir => "/Users/jay/Workspace/logstash-1.5.4/vendor/bundle/jruby/1.9/gems/snmp-1.2.0/data/ruby/snmp/mibs/"

output {
        stdout { codec => rubydebug }

Also as a hail mary you could do a

 bin/plugin update

Be careful here - and please backup your logstash installation before doing this - Answer "No" to any updates that have no backwards compatibility from Elasticsearch 2.0, and then let watch the output to see if snmp or logstash-input-snmptrap packages were updated.

Thanks so much for all your help. Is there a way I can give you a positive review somehow?

Killing all logstash related java processes and then rebooting the server seems to have solved the problem with translating the OID's and the SNMP Trap Listener Died error (somehow related?) Maybe my method of making logstash run as root is not ideal?
I just changed LS_user to root in /etc/init'd/logstash. I tried setcap because running logstash as root is obviously not ideal but this was unsuccesfull.

@tom_jonge, I'm glad that we have gotten things resolved.

It is generally not advised to run logstash as root, if it can be avoided, but we understand of course that sometimes root privileges are necessary, for example in this case. You can usually work around these limitations in the OS by assigning proper permissions, etc, and we recommend doing so in your production environment. :smile:

Hi @PhaedrusTheGreek

Thanks for your solution. Unfortunately I can't get the script to work on some systems.

I does what it should on Fedora 20 (ruby 2.0.0p353) but it won't work on SLES 11 SP4 (ruby 1.8.7). On SLES I always get the output:

unrecognized option -k *** Import failed for: [mibfile] ***

Since the whole script does not contain a -k and I'm not a Ruby guy I'm stuck.

I thought, maybe there's a mismatch in the ruby versions and tried to search for a ruby binary in the logstash installation but i didn't find one I could use (Logstash 1.5.1).

Maybe you could give me a hint?

I tried other scripts to convert mibs to yaml but they all have more dependencies I can not fulfill on SLES 11 SP4.

Thanks in advance!


It seems that the -k option is only available after libsmi libsmi-0.4.6 (in the smidump command).

I filed this issue with the maintainer.

It seems that libsmi-0.4.5 is what you get with SLES 11. Possible solution then would be to try a manual upgrade.


Tested on Ubuntu 14.04.4 LTS.


apt-get install smitools

i have install smitools and put my vendors' mib files into mibs directory , but still get the error .

/opt/logstash/vendor/bundle/jruby/1.9/gems/snmp-1.2.0# ruby -d import.rb mibs/

Exception LoadError' at /usr/lib/ruby/2.1.0/rubygems.rb:1203 - cannot load such file -- rubygems/defaults/ruby
ExceptionNameError' at /usr/lib/ruby/2.1.0/psych/class_loader.rb:67 - uninitialized constant BigDecimal
Exception NameError' at /usr/lib/ruby/2.1.0/psych/class_loader.rb:67 - uninitialized constant DateTime
ExceptionNameError' at /usr/lib/ruby/2.1.0/psych/core_ext.rb:16 - methodto_yaml' not defined in Object
ExceptionNameError' at /usr/lib/ruby/2.1.0/psych/core_ext.rb:29 - methodyaml_as' not defined in Module
ExceptionNameError' at /usr/lib/ruby/2.1.0/psych/deprecated.rb:81 - undefined methodto_yaml_properties' for classObject'
Exception Errno::EEXIST' at /usr/lib/ruby/2.1.0/fileutils.rb:250 - File exists @ dir_s_mkdir - /opt/logstash/vendor/bundle/jruby/1.9/gems/snmp-1.2.0/data/ruby/snmp/mibs
smidump: modulemibs//CERENT-TC.mib' contains errors, expect flawed output
Exception Errno::EEXIST' at /usr/lib/ruby/2.1.0/fileutils.rb:250 - File exists @ dir_s_mkdir - /opt/logstash/vendor/bundle/jruby/1.9/gems/snmp-1.2.0/data/ruby/snmp/mibs
ExceptionErrno::EEXIST' at /usr/lib/ruby/2.1.0/fileutils.rb:250 - File exists @ dir_s_mkdir - /opt/logstash/vendor/bundle/jruby/1.9/gems/snmp-1.2.0/data/ruby/snmp/mibs
smidump: cannot locate module `mibs//CERENT-MSDWDM-MIB.mib'
*** Import failed for: mibs//CERENT-MSDWDM-MIB.mib ***