SNMP-trap OID escaping .0 for Queries

alerting

#1

Greetings,

I'm currently feeding SNMP traps into my ELK stack and have run into a problem with the translated OID's and trying to query them in a watch.

The watch in question:

/_watcher/watch/test_event
{
      "trigger": {
        "schedule": {
          "interval": "60s"
        }
      },
      "input": {
        "search": {
          "request": {
            "indices": [
              "logstash-*"
            ],
            "search_type": "query_then_fetch",
            "body": {
              "query": {
                "filtered": {
                  "query": {
                    "bool": {
                      "should": [
                        {
                          "match": {
                            "message": "test"
                          }
                        }
                      ]
                    }
                  },
                  "filter": {
                    "range": {
                      "@timestamp": {
                        "from": "{{ctx.trigger.scheduled_time}}||-60s",
                        "to": "{{ctx.trigger.triggered_time}}"
                      }
                    }
                  }
                }
              },
              "fields": [
                "RFC1213-MIB::sysName.0",
                "FORTINET-FORTIGATE-MIB::fgIpsTrapSigMsg.0",
                "FORTINET-FORTIGATE-MIB::fgIpsTrapSrcIp.0",
                "DISMAN-EXPRESSION-MIB::sysUpTimeInstance",
                "@timestamp"
              ],
              "sort": [
                {
                  "@timestamp": {
                    "order": "desc"
                  }
                }
              ]
            }
          }
        }
      },
      "throttle_period": "60s", 
      "condition": {
        "script": {
          "inline": "ctx.payload.hits.size() > 0 "
        }
      },
      "actions": {
          "send_email": {
            "email": {
              "to": "receiving@gmail.com",
              "subject": " Watcher Notification - Event: {{ctx.payload.hits.hits.0.fields.FORTINET-FORTIGATE-MIB::fgIpsTrapSigMsg.0}} ON DEVICE: {{ctx.payload.hits.hits.0.fields.RFC1213-MIB::sysName.0}} SRC IP: {{ctx.payload.hits.hits.0.fields.FORTINET-FORTIGATE-MIB::fgIpsTrapSrcIp.0}} AT: {{ctx.trigger.triggered_time}} UTC",
              "body": {
              "html": "<HTML><b>Trigger time: </b>{{ctx.trigger.triggered_time}} UTC<br><b>Event: </b>{{ctx.payload.hits.hits.0.fields.FORTINET-FORTIGATE-MIB::fgIpsTrapSigMsg.0}}<br><b>Device: </b>{{ctx.payload.hits.hits.0.fields.RFC1213-MIB::sysName.0}}<br><b>Src IP: </b>{{ctx.payload.hits.hits.0.fields.FORTINET-FORTIGATE-MIB::fgIpsTrapSrcIp.0}}<br><b>Uptime: </b>{{ctx.payload.hits.hits.0.fields.DISMAN-EXPRESSION-MIB::sysUpTimeInstance}}</HTML>"
              }
            }
          }
        }
      }'

As you can see, some of the OID's are being translated into fields ending with ".0".
For example:

FORTINET-FORTIGATE-MIB::fgIpsTrapSigMsg.0

Only the fields ending in ".0" remain empty. ctx.payload.hits.hits.0.fields.DISMAN-EXPRESSION-MIB::sysUpTimeInstance gives me the correct output. To me it seems like the ".0" is part of the OID but it seems the "." is being treated as another divider like the "." in ctx.payload.

Is there a way to escape the "."?
I tried:

FORTINET-FORTIGATE-MIB::fgIpsTrapSigMsg.0

But that gives me the following error:

nested: JsonParseException[Unrecognized character escape '.' (code 46)\n at [Source: [B@60a0bd4; line: 39, column: 36]]; ","status":500}

Edit:

Double escaping like below does not work either.

FORTINET-FORTIGATE-MIB::fgIpsTrapSigMsg\.0


(Steve Kearns) #2

Hi Tom,

Using dots in field names is not a good practice - it causes a lot of confusion and complexity, and this is just one example of why. In ES 2.0, you can no longer create fields with dots in them, for many reasons..

Can you change the way you index these documents, perhaps by transforming them before they get to ES?

Thanks,
Steve


#3

Hi Steve,

Thanks for the speedy response. This is logstash's SNMP plugin translating OID's from the YAML MIB.
I'm not too sure if I can just go ahead and remove the .0 part from the MIB's but it's worth a shot.

Edit:
Seems I can't. So Logstash has SNMP support, but Watcher does not.
Ill keep trying to get it to work.


(Alexander Reelsen) #4

Hey,

FYI, the logstash team is currently evaluating a migration strategy, you can check out the ticket at https://github.com/elastic/logstash/issues/4015

--Alex


#5

Many thanks for the link. Will keep an eye on it. For now I've sorted the problem out by using a logstash filter mutation, but it's an ugly and time consuming workaround.


(system) #6