SNMP - loss of data when sending information from logstash to elasticsearch

rueldu · November 26, 2018, 4:02pm

Hello everyone,

I have installed ELK, one server ELASTICSEARCH, 3 servers (collectors) that have installed LOGSTASH and ELASTIFLOW and each one is in 3 branches. In a branch there is a server where logstash is installed and it is collecting SNMP information and then send to ELASTICSEARCH MASTER. All that information shows me through the Kibana Dhasboard, my question is:

Why in kibana I have a minute loss along the whole timestap?

these is my config logstash input:

input {
** snmp {**
** walk => ["1.3.6.1.2.1.1", "1.3.6.1.2.1.2", "1.3.6.1.4.1.9.9.109.1.1"]**
** # get => ["1.3.6.1.2.1.2.2.1.10.10102", "1.3.6.1.2.1.2.2.1.16.10102"]**
# walk => ["1.3.6.1.2.1.1"]
** hosts => [{host => "udp:x.x.x.x/161" community => "public"}]**
** mib_paths => ["/etc/logstash/mibs/"]**
** add_field => {host => "%{[@metadata][host_protocol]}:%{[@metadata][host_address]}/%{[@metadata][host_port]},%{[@metadata][host_community]}"}**
** }**
}

and these is my output:

output {
** elasticsearch {**
** id => "output_elasticsearch_single"**
** document_type => "elasticsearch"**
** hosts => ["http://y.y.y.y:9200"]**
# index => "{%[@metadata][snmp]}-%{+YYYY.MM.dd}"
** index => "snmp-cisco-%{+YYYY.MM.dd}"**
** }**
}

According to me, the logstash log does not show me any error:

Help!! a new on ELK.

Eniqmatic · November 27, 2018, 8:12am

Hi,

This is not 1 minute "missing" but rather it is 30 seconds. You need to set the polling interval in the SNMP plugin to tell it how long between walk intervals.

rueldu · November 27, 2018, 3:42pm

Hello Eniqmatic, well if you're right, deafult the polling intervals is 30 seconds as it says here: https://www.elastic.co/guide/en/logstash/current/plugins-inputs-snmp.html

so I added the interval => 0 line in the logstash.yml configuration and with that I already have a single timeline without jumps.

Logstash input:

input {
snmp {
walk => ["1.3.6.1.2.1.1", "1.3.6.1.2.1.2", "1.3.6.1.4.1.9.9.109.1.1"]
get => ["1.3.6.1.2.1.2.2.1.10.10102", "1.3.6.1.2.1.2.2.1.16.10102"]
hosts => [{host => "udp:x.x.x.x/161" community => "public"}]

mib_paths => ["/etc/logstash/mibs/"]
oid_root_skip => 5
**interval => 0**
add_field => {host => "%{[@metadata][host_protocol]}:%{[@metadata][host_address]}/%{[@metadata][host_port]},%{[@metadata][host_community]}"}
}

}

TimeLine:

Thank Eniqmatic!!

Eniqmatic · November 27, 2018, 3:46pm

Good news! Please mark as solved!

system · December 25, 2018, 3:46pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.