MIB OID Translation

tom_jonge · September 21, 2015, 3:34pm

Dear logstash,

/opt/logstash/vendor/bundle/jruby/1.9/gems/snmp-1.2.0/data/ruby/snmp/mibs containts a venerable treasure trove of pre-converted YAML MIBs. However I have run into an issue:

From Kibana:

RFC1155-SMI::enterprises.12356.101.9.3.2.0 		       172.16.20.72

The start of the translated YAML MIB from Fortinet below has (it is my understanding) 0. as a shorthand to RFC1155-SMI::enterprises

\---
    fortinet: '0.12356'
    fnCoreMib: 0.12356.100

As you can see part of the OID is translated. Namely 1.3.6.1.4.1 into RFC1155-SMI::enterprises.
It stops at .12356 however. This number is registered at IANA http://www.iana.nl/assignments/enterprise-numbers/enterprise-numbers These enterprises arent centralized, meaning there's no MIB for those values. Apparently this number is lookup up by your snmp-manager. Therein lies my problem.

Any way to get the .12356 enterprise number translated by Logstash?

PhaedrusTheGreek · September 21, 2015, 8:16pm

Hi @tom_jonge,

You can import your Vendor's MIBs:

1. Download the import script and place it in the snmp package's root directory.

cd ~/logstash-1.5.4/vendor/bundle/jruby/1.9/gems/snmp-1.2.0/
wget https://raw.githubusercontent.com/hallidave/ruby-snmp/master/import.rb

2. Ensure your OS has the smidump tool installed (yum install libsmi or apt-get install smitools)
3. Download your vendor's .mib file(s) into a directory called mibs
4. Run the import script on the directory

snmp-1.2.0$ ruby import.rb mibs/
mibs/FORTINET-CORE-MIB.mib
snmp-1.2.0$ head data/ruby/snmp/mibs/FORTINET-CORE-MIB.yaml
---
fortinet: 1.3.6.1.4.1.12356
fnCoreMib: 1.3.6.1.4.1.12356.100
fnCommon: 1.3.6.1.4.1.12356.100.1
fnSystem: 1.3.6.1.4.1.12356.100.1.1
fnSysSerial: 1.3.6.1.4.1.12356.100.1.1.1
fnMgmt: 1.3.6.1.4.1.12356.100.1.2
fnMgmtLanguage: 1.3.6.1.4.1.12356.100.1.2.1
fnAdmin: 1.3.6.1.4.1.12356.100.1.2.100
fnAdminNumber: 1.3.6.1.4.1.12356.100.1.2.100.1

Let me know if this works,

Jay

tom_jonge · September 22, 2015, 7:41am

Hi Jay! Thanks for your help.

Got the import working after some problems with dependencies.
This still does not solve my problem though. Enterprise Number is not translated. Stops at RFC1155-SMI::enterprises.12356.

Seems to me that with the FORTINET-CORE-MIB.yaml containing fortinet: 1.3.6.1.4.1.12356 it should work.

Update:
Just attempted an ugly fix. Deleted the RFC1155-SMI.yaml. Deleted all indexes. Deleted the mapping. Starting fresh.
Still get:

  RFC1155-SMI::enterprises.12356.101.9.3.2.0 		       172.16.20.72

It shouldnt even be able to find anything concerning the RFC1155-SMI::enterprises now that it has been deleted. Where is it getting that mapping from? When creating the default Logstash-* mapping does it look at earlier mappings or something?

PhaedrusTheGreek · September 22, 2015, 1:17pm

Can you make sure that the Fortinet YAML is being loaded? If you run Logstash with --debug, the snmptrap input should output lines like this:

found MIBs: <List of MIBs>

Thanks,

Jay

tom_jonge · September 22, 2015, 1:27pm

SNMP Trap listener died {:exception=>#<SocketError: bind: name or service not known>, :backtrace=>["org/jruby/ext/socket/RubyUDPSocket.java:160:in bind'", "/opt/logstash/vendor/bundle/jruby/1.9/gems/snmp-1.2.0/lib/snmp/manager.rb:540:ininitialize'", "/opt/logstash/vendor/bundle/jruby/1.9/gems/snmp-1.2.0/lib/snmp/manager.rb:585:in create_transport'", "/opt/logstash/vendor/bundle/jruby/1.9/gems/snmp-1.2.0/lib/snmp/manager.rb:618:ininitialize'", "/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-input-snmptrap-1.0.0/lib/logstash/inputs/snmptrap.rb:69:in snmptrap_listener'", "/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-input-snmptrap-1.0.0/lib/logstash/inputs/snmptrap.rb:54:inrun'", "/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-core-1.5.4-java/lib/logstash/pipeline.rb:177:in inputworker'", "/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-core-1.5.4-java/lib/logstash/pipeline.rb:171:instart_input'"], :level=>:warn}

Is all I get, which is nonsense since it is binding to the port just fine and SNMP traps are flowing through to Kibana. Logstash user is root so it can use privileged port 162.
Nothing about mibs loaded.

PhaedrusTheGreek · September 22, 2015, 1:32pm

It appears that the debug output is not generated unless this parameter is specified.

yamlmibdir

References:
https://logstash.jira.com/browse/LOGSTASH-1385

github.com

logstash-plugins/logstash-input-snmptrap/blob/master/lib/logstash/inputs/snmptrap.rb#L46


end # def initialize


def register
  @snmptrap = nil
  if @yamlmibdir
    @logger.info("checking #{@yamlmibdir} for MIBs")
    Dir["#{@yamlmibdir}/*.yaml"].each do |yamlfile|
      mib_name = File.basename(yamlfile, ".*")
      @yaml_mibs ||= []
      @yaml_mibs << mib_name
    end
    @logger.info("found MIBs: #{@yaml_mibs.join(',')}") if @yaml_mibs
  end
end # def register


def run(output_queue)
  begin
    # snmp trap server
    snmptrap_listener(output_queue)
  rescue => e
    @logger.warn("SNMP Trap listener died", :exception => e, :backtrace => e.backtrace)

tom_jonge · September 22, 2015, 1:36pm

input {
 snmptrap {
    port => 162
    community => 'tomtom'
    type => 'snmptrap'
    yamlmibdir => "/opt/logstash/vendor/bundle/jruby/1.9/gems/snmp-1.2.0/data/ruby/snmp/mibs"
  }
}

This has been defined already. Otherwise it wouldnt have been able to correctly translate part of the OID with the yaml mibs in defined yamlmibdir
Stumbled upon that reference yesterday. Already attempted to get

found MIBs: List of MIBs

By running bin/logstash agent -f /etc/logstash/* --debug

Afraid I get the above mentionered error over and over and nothing else.

PhaedrusTheGreek · September 22, 2015, 2:01pm

Can you provide me with a .pcap format packet capture of the incoming trap (dropbox/s3,etc) ? That will help me to reproduce, if it comes to that.

Also, when I start logstash with snmptrap input, I see considerably more debug output, including the mentioned YAMLs loaded.

bin/logstash --debug -f snmptrap-input-test.cfg
...
config LogStash::Outputs::Stdout/@exclude_tags = [] {:level=>:debug, :file=>"logstash/config/mixin.rb", :line=>"111", :method=>"config_init"}
config LogStash::Outputs::Stdout/@workers = 1 {:level=>:debug, :file=>"logstash/config/mixin.rb", :line=>"111", :method=>"config_init"}
checking ~/logstash-1.5.4/vendor/bundle/jruby/1.9/gems/snmp-1.2.0/data/ruby/snmp/mibs/ for MIBs {:level=>:info, :file=>"logstash/inputs/snmptrap.rb", :line=>"40", :method=>"register"}
found MIBs: ACCOUNTING-CONTROL-MIB,ADSL-LINE-EXT-MIB,ADSL-LINE-MIB,ADSL-TC-MIB,ADSL2-LINE-MIB,ADSL2-LINE-TC-MIB,AGENTX-MIB,AGGREGATE-MIB,ALARM-MIB,APM-MIB,APPC-MIB,APPLETALK-MIB,APPLICATION-MIB,APPN-DLUR-MIB,APPN-MIB,APPN-TRAP-MIB,APS-MIB,ARC-MIB,ATM-ACCOUNTING-INFORMATION-MIB,ATM-MIB,ATM-TC-MIB,ATM2-MIB,BGP4-MIB,BLDG-HVAC-MIB,BRIDGE-MIB,CHARACTER-MIB,CIRCUIT-IF-MIB,CLNS-MIB,COFFEE-POT-MIB,COPS-CLIENT-MIB,DECNET-PHIV-MIB,DIAL-CONTROL-MIB,DIFFSERV-CONFIG-MIB,DIFFSERV-DSCP-TC,DIFFSERV-MIB,
...

If I run it without the --debug flag, I see output similar to yours.

Please show me the output of:

bin/logstash --version
bin/plugin list --verbose

(still not sure about why we see that Trap listener died - I will investigate that further).

tom_jonge · September 22, 2015, 2:11pm

Thanks for the help so far Jay!
Running bin/logstash agent -f /etc/logstash/conf.d/02-input-snmp-udp.conf --debug gives me the below with the Trap Listener died at the end.

It's a Trap! {:Port=>162, :Community=>["tomtom"], :Host=>"0.0.0.0", :MibDir=>"/opt/logstash/vendor/bundle/jruby/1.9/gems/snmp-1.2.0/data/ruby/snmp/mibs", :MibModules=>["MPLS-TC-STD-MIB", "CAPWAP-BASE-MIB", "FORTINET-CORE-MIB", "SNMPv2-SMI", "IPOA-MIB", "DIFFSERV-CONFIG-MIB", "MPLS-LDP-STD-MIB", "RFC1316-MIB", "MPLS-L3VPN-STD-MIB", "TN3270E-RT-MIB", "MPLS-LC-ATM-STD-MIB", "IANA-MAU-MIB", "DOCS-IF-MIB", "SNMPv2-MIB", "FORCES-MIB", "ADSL-LINE-EXT-MIB", "T11-FC-ROUTE-MIB", "LMP-MIB", "PKTC-IETF-EVENT-MIB", "TRIP-TC-MIB", "DS0-MIB", "URI-TC-MIB", "SNMPv2-PARTY-MIB", "SYSLOG-MSG-MIB", "MAU-MIB", "SNMP-SSH-TM-MIB", "ADSL-LINE-MIB", "T11-FC-SP-AUTHENTICATION-MIB", "ISCSI-MIB", "DECNET-PHIV-MIB", "GMPLS-LABEL-STD-MIB", "TCP-MIB", "IF-INVERTED-STACK-MIB", "FORTINET-FORTIGATE-MIB", "VDSL2-LINE-MIB", "TN3270E-MIB", "ATM-MIB", "T11-TC-MIB", "RADIUS-ACC-CLIENT-MIB", "SLAPM-MIB", "PW-ATM-MIB", "BLDG-HVAC-MIB", "FC-MGMT-MIB", "TOKEN-RING-RMON-MIB", "SIP-SERVER-MIB", "SIP-TC-MIB", "RMON2-MIB", "NHRP-MIB", "ENTITY-MIB", "SNMPv2-M2M-MIB", "ISIS-MIB", "IPFIX-SELECTOR-MIB", "ENTITY-STATE-MIB", "PPP-IP-NCP-MIB", "TCPIPX-MIB", "INTERFACETOPN-MIB", "IANA-GMPLS-TC-MIB", "ROHC-RTP-MIB", "RAQMON-RDS-MIB", "UDPLITE-MIB", "IP-FORWARD-MIB", "MOBILEIPV6-MIB", "IPV6-MIB", "DNS-RESOLVER-MIB", "SNMP-USM-AES-MIB", "IANA-LANGUAGE-MIB", "Finisher-MIB", "IPATM-IPMC-MIB", "APPN-TRAP-MIB", "FRNETSERV-MIB", "SNMP-COMMUNITY-MIB", "GSMP-MIB", "IANA-PWE3-MIB", "ADSL2-LINE-MIB", "SNMP-NOTIFICATION-MIB", "APPC-MIB", "SNMP-REPEATER-MIB", "IPV6-TCP-MIB", "TIME-AGGREGATE-MIB", "RFC1414-MIB", "BGP4-MIB", "PINT-MIB", "PerfHist-TC-MIB", "FR-ATM-PVC-SERVICE-IWF-MIB", "VDSL-LINE-EXT-MCM-MIB", "IBM-6611-APPN-MIB", "SSPM-MIB", "SNMPv2-TM", "DISMAN-NSLOOKUP-MIB", "RTP-MIB", "AGGREGATE-MIB", "T11-FC-SP-SA-MIB", "IP-MIB", "TCP-ESTATS-MIB", "SCTP-MIB", "DIRECTORY-SERVER-MIB", "PTOPO-MIB", "FCIP-MGMT-MIB", "FIBRE-CHANNEL-FE-MIB", "MPLS-FTN-STD-MIB", "PPP-SEC-MIB", "HC-RMON-MIB", "HPR-IP-MIB", "HPR-MIB", "RFC1381-MIB", "DIFFSERV-DSCP-TC", "VDSL-LINE-EXT-SCM-MIB", "INET-ADDRESS-MIB", "IANA-PRINTER-MIB", "DNS-SERVER-MIB", "NETWORK-SERVICES-MIB", "OPT-IF-MIB", "MIP-MIB", "FRSLD-MIB", "PKTC-IETF-MTA-MIB", "HOST-RESOURCES-MIB", "TOKENRING-MIB", "IANATn3270eTC-MIB", "T11-FC-RSCN-MIB", "SNA-SDLC-MIB", "OSPF-MIB", "ATM2-MIB", "DOT3-OAM-MIB", "RFC1285-MIB", "MGMD-STD-MIB", "APPN-DLUR-MIB", "PW-STD-MIB", "GMPLS-TE-STD-MIB", "DOT12-IF-MIB", "APS-MIB", "ETHER-WIS", "ISDN-MIB", "RFC1158-MIB", "IANA-FINISHER-MIB", "T11-FC-NAME-SERVER-MIB", "GMPLS-LSR-STD-MIB", "IF-MIB", "RFC1269-MIB", "TPM-MIB", "IPS-AUTH-MIB", "RFC1065-SMI", "POWER-ETHERNET-MIB", "ACCOUNTING-CONTROL-MIB", "IFCP-MGMT-MIB", "SNMP-MPD-MIB", "IANA-ITU-ALARM-TC-MIB", "SNMP-FRAMEWORK-MIB", "FRAME-RELAY-DTE-MIB", "ALARM-MIB", "TE-MIB", "DLSW-MIB", "SYSAPPL-MIB", "IPMROUTE-STD-MIB", "PPP-BRIDGE-NCP-MIB", "DOCS-IETF-CABLE-DEVICE-NOTIFICATION-MIB", "PW-TDM-MIB", "RFC1155-SMI", "DS1-MIB", "IANA-RTPROTO-MIB", "UPS-MIB", "HC-PerfHist-TC-MIB", "T11-FC-FSPF-MIB", "IANA-ADDRESS-FAMILY-NUMBERS-MIB", "Job-Monitoring-MIB", "APM-MIB", "MSDP-MIB", "WWW-MIB", "MPLS-LDP-FRAME-RELAY-STD-MIB", "DS0BUNDLE-MIB", "ATM-TC-MIB", "DISMAN-EVENT-MIB", "SMON-MIB", "IPSEC-SPD-MIB", "IF-CAP-STACK-MIB", "ADSL2-LINE-TC-MIB", "DOCS-IETF-BPI2-MIB", "ADSL-TC-MIB", "IANA-CHARSET-MIB", "IPV6-MLD-MIB", "DOT3-EPON-MIB", "ENTITY-SENSOR-MIB", "MPLS-LDP-GENERIC-STD-MIB", "EBN-MIB", "POLICY-BASED-MANAGEMENT-MIB", "IPV6-FLOW-LABEL-MIB", "Q-BRIDGE-MIB", "SFLOW-MIB", "T11-FC-SP-ZONING-MIB", "RFC1213-MIB", "T11-FC-FABRIC-LOCK-MIB", "ARC-MIB", "LANGTAG-TC-MIB", "VDSL-LINE-MIB", "EtherLike-MIB", "AGENTX-MIB", "DISMAN-TRACEROUTE-MIB", "RIPv2-MIB", "ITU-ALARM-TC-MIB", "GMPLS-TC-STD-MIB", "HCNUM-TC", "RAQMON-MIB", "OSPFV3-MIB", "SNMP-IEEE802-TM-MIB", "CHARACTER-MIB", "PW-ENET-STD-MIB", "TRIP-MIB", "PIM-STD-MIB", "VPN-TC-STD-MIB", "DIFFSERV-MIB", "MALLOC-MIB", "HOST-RESOURCES-TYPES", "IANAifType-MIB", "T11-FC-FABRIC-ADDR-MGR-MIB", "TOKENRING-STATION-SR-MIB", "RADIUS-AUTH-SERVER-MIB", "COFFEE-POT-MIB", "SMUX-MIB", "SNMPv2-USEC-MIB", "DISMAN-SCHEDULE-MIB", "CAPWAP-DOT11-MIB", "DOCS-IETF-QOS-MIB", "HDSL2-SHDSL-LINE-MIB", "MPLS-LC-FR-STD-MIB", "SNMP-USM-DH-OBJECTS-MIB", "VDSL2-LINE-TC-MIB", "T11-FC-ZONE-SERVER-MIB", "PW-TC-STD-MIB", "SIP-COMMON-MIB", "T11-FC-VIRTUAL-FABRIC-MIB", "RADIUS-AUTH-CLIENT-MIB", "RADIUS-ACC-SERVER-MIB", "DIAL-CONTROL-MIB", "SIP-UA-MIB", "T11-FC-SP-TC-MIB", "DSA-MIB", "RSERPOOL-MIB", "INTEGRATED-SERVICES-GUARANTEED-MIB", "SNMP-TSM-MIB"], :level=>:info, :file=>"logstash/inputs/snmptrap.rb", :line=>"68", :method=>"snmptrap_listener"}

So they are being loaded.

tom_jonge · September 22, 2015, 2:11pm

As requested:

bin/logstash --version
logstash 1.5.4

bin/plugin list --verbose
logstash-codec-collectd (1.0.1)
logstash-codec-dots (1.0.0)
logstash-codec-edn (1.0.0)
logstash-codec-edn_lines (1.0.0)
logstash-codec-es_bulk (1.0.0)
logstash-codec-fluent (1.0.0)
logstash-codec-graphite (1.0.0)
logstash-codec-json (1.0.1)
logstash-codec-json_lines (1.0.1)
logstash-codec-line (1.0.0)
logstash-codec-msgpack (1.0.0)
logstash-codec-multiline (1.0.0)
logstash-codec-netflow (1.0.0)
logstash-codec-oldlogstashjson (1.0.0)
logstash-codec-plain (1.0.0)
logstash-codec-rubydebug (1.0.0)
logstash-filter-anonymize (1.0.0)
logstash-filter-checksum (1.0.1)
logstash-filter-clone (1.0.0)
logstash-filter-csv (1.0.0)
logstash-filter-date (1.0.0)
logstash-filter-dns (1.0.0)
logstash-filter-drop (1.0.0)
logstash-filter-fingerprint (1.0.0)
logstash-filter-geoip (1.0.2)
logstash-filter-grok (1.0.0)
logstash-filter-json (1.0.1)
logstash-filter-kv (1.0.0)
logstash-filter-metrics (1.0.0)
logstash-filter-multiline (1.0.0)
logstash-filter-mutate (1.0.1)
logstash-filter-ruby (1.0.0)
logstash-filter-sleep (1.0.0)
logstash-filter-split (1.0.0)
logstash-filter-syslog_pri (1.0.0)
logstash-filter-throttle (1.0.0)
logstash-filter-urldecode (1.0.0)
logstash-filter-useragent (1.0.1)
logstash-filter-uuid (1.0.0)
logstash-filter-xml (1.0.0)
logstash-input-couchdb_changes (1.0.0)
logstash-input-elasticsearch (1.0.0)
logstash-input-eventlog (1.0.0)
logstash-input-exec (1.0.0)
logstash-input-file (1.0.1)
logstash-input-ganglia (1.0.0)
logstash-input-gelf (1.0.0)
logstash-input-generator (1.0.0)
logstash-input-graphite (1.0.0)
logstash-input-heartbeat (1.0.0)
logstash-input-http (1.0.2)
logstash-input-imap (1.0.0)
logstash-input-irc (1.0.0)
logstash-input-kafka (1.0.0)
logstash-input-log4j (1.0.0)
logstash-input-lumberjack (1.0.4)
logstash-input-pipe (1.0.0)
logstash-input-rabbitmq (1.1.0)
logstash-input-redis (1.0.3)
logstash-input-s3 (1.0.0)
logstash-input-snmptrap (1.0.0)
logstash-input-sqs (1.0.0)
logstash-input-stdin (1.0.0)
logstash-input-syslog (1.0.1)
logstash-input-tcp (1.0.0)
logstash-input-twitter (1.0.1)
logstash-input-udp (1.0.0)
logstash-input-unix (1.0.0)
logstash-input-xmpp (1.0.0)
logstash-input-zeromq (1.0.0)
logstash-output-cloudwatch (1.0.0)
logstash-output-csv (1.0.0)
logstash-output-elasticsearch (1.0.7)
logstash-output-elasticsearch_http (1.0.0)
logstash-output-email (1.0.0)
logstash-output-exec (1.0.0)
logstash-output-file (1.0.0)
logstash-output-ganglia (1.0.0)
logstash-output-gelf (1.0.0)
logstash-output-graphite (1.0.2)
logstash-output-hipchat (1.0.0)
logstash-output-http (1.0.0)
logstash-output-irc (1.0.0)
logstash-output-juggernaut (1.0.0)
logstash-output-kafka (1.0.0)
logstash-output-lumberjack (1.0.2)
logstash-output-nagios (1.0.0)
logstash-output-nagios_nsca (1.0.0)
logstash-output-null (1.0.0)
logstash-output-opentsdb (1.0.0)
logstash-output-pagerduty (1.0.0)
logstash-output-pipe (1.0.0)
logstash-output-rabbitmq (1.1.1)
logstash-output-redis (1.0.0)
logstash-output-s3 (1.0.0)
logstash-output-sns (2.0.1)
logstash-output-sqs (1.0.0)
logstash-output-statsd (1.1.0)
logstash-output-stdout (1.0.0)
logstash-output-tcp (1.0.0)
logstash-output-udp (1.0.0)
logstash-output-xmpp (1.0.0)
logstash-output-zeromq (1.0.0)
logstash-patterns-core (0.3.0)

Ill work on that pcap format packet capture.

PhaedrusTheGreek · September 22, 2015, 2:15pm

Thanks, if you can provide me the exact MIB files you're using as well, that would help.

tom_jonge · September 22, 2015, 2:26pm

.mib filetype is unauthorized and pasting it here will exceed character limit.
Using dropbox.

Added a .pcap file to dropbox. https://www.dropbox.com/s/9mftrvbjaq3g3vh/capture.pcap?dl=0Looks a little jumbled to me when viewing with tcpick -C -yP -r capture.pcap.
Let me know if the file is useless.

tom_jonge · September 22, 2015, 2:57pm

Just noticed something peculiar in relation to snmp trap listener died. I'm used to running logstash as a service (as per several tutorials). Noticed that with the service stopped, udp6 port 162 is still occupied and snmptraps are still being processed. Somehow logstash is still running.

Have to go, thanks a million for your help so far. Currently suspecting an old zombie java process for Logstash is the culprit. Will continue troubleshooting tomorrow.

PhaedrusTheGreek · September 22, 2015, 5:47pm

OK I was able to reproduce using your MIBs and PCAP, however in my case, the OID was translated! (Go Figure).

I received the same error about the Trap Listener Dying while i was testing as an unprivileged user. As root, the message ceased. That's obviously not what happened in your case, but i just thought i would mention it.
I used the import.rb script to import your MIBs.
I used tcprewrite/tcpreplay to shoot the traps at my listener, and received the following ruby debug output.

                                        "host" => "192.168.0.2",
                                    "@version" => "1",
                                  "@timestamp" => "2015-09-22T17:34:42.551Z",
                                        "type" => "snmptrap",
    "DISMAN-EXPRESSION-MIB::sysUpTimeInstance" => "106 days, 01:43:44.15",
                   "SNMPv2-MIB::snmpTrapOID.0" => "FORTINET-CORE-MIB::fortinet.101.2.0.504",
            "FORTINET-CORE-MIB::fnSysSerial.0" => "FGT80C3912619162",
                       "SNMPv2-MIB::sysName.0" => "office-fn1",
     "FORTINET-CORE-MIB::fortinet.101.9.3.1.0" => "40",
     "FORTINET-CORE-MIB::fortinet.101.9.3.2.0" => "172.16.20.76",
     "FORTINET-CORE-MIB::fortinet.101.9.3.3.0" => "unknown dos attack"

Is this the output you're hoping for? If so, there must be some minor difference between what we are both doing. Would you please use my test config and show me your corresponding output?

input {
        snmptrap {
                    port => 162
                    community => 'tomtom'
                    type => 'snmptrap'
                    yamlmibdir => "/Users/jay/Workspace/logstash-1.5.4/vendor/bundle/jruby/1.9/gems/snmp-1.2.0/data/ruby/snmp/mibs/"
          }
}

output {
        stdout { codec => rubydebug }
}

Also as a hail mary you could do a

 bin/plugin update

Be careful here - and please backup your logstash installation before doing this - Answer "No" to any updates that have no backwards compatibility from Elasticsearch 2.0, and then let watch the output to see if snmp or logstash-input-snmptrap packages were updated.

tom_jonge · September 23, 2015, 7:40am

Thanks so much for all your help. Is there a way I can give you a positive review somehow?

Killing all logstash related java processes and then rebooting the server seems to have solved the problem with translating the OID's and the SNMP Trap Listener Died error (somehow related?) Maybe my method of making logstash run as root is not ideal?
I just changed LS_user to root in /etc/init'd/logstash. I tried setcap because running logstash as root is obviously not ideal but this was unsuccesfull.

PhaedrusTheGreek · September 23, 2015, 1:24pm

@tom_jonge, I'm glad that we have gotten things resolved.

It is generally not advised to run logstash as root, if it can be avoided, but we understand of course that sometimes root privileges are necessary, for example in this case. You can usually work around these limitations in the OS by assigning proper permissions, etc, and we recommend doing so in your production environment.

widhalm_t · February 2, 2016, 9:16am

Hi @PhaedrusTheGreek

Thanks for your solution. Unfortunately I can't get the script to work on some systems.

I does what it should on Fedora 20 (ruby 2.0.0p353) but it won't work on SLES 11 SP4 (ruby 1.8.7). On SLES I always get the output:

unrecognized option -k *** Import failed for: [mibfile] ***

Since the whole script does not contain a -k and I'm not a Ruby guy I'm stuck.

I thought, maybe there's a mismatch in the ruby versions and tried to search for a ruby binary in the logstash installation but i didn't find one I could use (Logstash 1.5.1).

Maybe you could give me a hint?

I tried other scripts to convert mibs to yaml but they all have more dependencies I can not fulfill on SLES 11 SP4.

Thanks in advance!

PhaedrusTheGreek · April 14, 2016, 3:23pm

@widhalm_t,

It seems that the -k option is only available after libsmi libsmi-0.4.6 (in the smidump command).

I filed this issue with the maintainer.

It seems that libsmi-0.4.5 is what you get with SLES 11. Possible solution then would be to try a manual upgrade.

Jay

PhaedrusTheGreek · April 15, 2016, 5:43pm

Tested on Ubuntu 14.04.4 LTS.

Requires

apt-get install smitools

stefansaye · April 15, 2016, 11:21pm

i have install smitools and put my vendors' mib files into mibs directory , but still get the error .

/opt/logstash/vendor/bundle/jruby/1.9/gems/snmp-1.2.0# ruby -d import.rb mibs/

Exception LoadError' at /usr/lib/ruby/2.1.0/rubygems.rb:1203 - cannot load such file -- rubygems/defaults/ruby
ExceptionNameError' at /usr/lib/ruby/2.1.0/psych/class_loader.rb:67 - uninitialized constant BigDecimal
Exception NameError' at /usr/lib/ruby/2.1.0/psych/class_loader.rb:67 - uninitialized constant DateTime
ExceptionNameError' at /usr/lib/ruby/2.1.0/psych/core_ext.rb:16 - methodto_yaml' not defined in Object
ExceptionNameError' at /usr/lib/ruby/2.1.0/psych/core_ext.rb:29 - methodyaml_as' not defined in Module
ExceptionNameError' at /usr/lib/ruby/2.1.0/psych/deprecated.rb:81 - undefined methodto_yaml_properties' for classObject'
mibs/
mibs//CERENT-TC.mib
Exception Errno::EEXIST' at /usr/lib/ruby/2.1.0/fileutils.rb:250 - File exists @ dir_s_mkdir - /opt/logstash/vendor/bundle/jruby/1.9/gems/snmp-1.2.0/data/ruby/snmp/mibs
smidump: modulemibs//CERENT-TC.mib' contains errors, expect flawed output
mibs//CERENT-GLOBAL-REGISTRY.mib
Exception Errno::EEXIST' at /usr/lib/ruby/2.1.0/fileutils.rb:250 - File exists @ dir_s_mkdir - /opt/logstash/vendor/bundle/jruby/1.9/gems/snmp-1.2.0/data/ruby/snmp/mibs
mibs//CERENT-MSDWDM-MIB.mib
ExceptionErrno::EEXIST' at /usr/lib/ruby/2.1.0/fileutils.rb:250 - File exists @ dir_s_mkdir - /opt/logstash/vendor/bundle/jruby/1.9/gems/snmp-1.2.0/data/ruby/snmp/mibs
smidump: cannot locate module `mibs//CERENT-MSDWDM-MIB.mib'
*** Import failed for: mibs//CERENT-MSDWDM-MIB.mib ***

Topic		Replies	Views
How to import my Vendor's MIBs? Logstash	3	3079	July 6, 2017
MIB OID Translation for the same oid? Logstash	4	1406	July 6, 2017
Logstash - SNMP Input - Trouble Converting / Using MIB Files Logstash	5	3903	June 5, 2020
Fortinet MIB's Logstash	1	1718	April 14, 2017
IMPORT .mib to Logstash snmptrap input Logstash	1	595	May 1, 2020

MIB OID Translation

Related topics