I am currently attempting to configure snmptrap input for my elk server on a VM, I'm new to elk and only been working with it for about two weeks now. My configuration is below:
input {
snmptrap {
port => 162
type => "snmptrap"
community => "public" #yamlmibdir => "/opt/logstash/vendor/bundle/jruby/1.9/gems/snmp-1.2.0/data/ruby/snmp/mibs"
}
syslog {
port => 516
type => "syslog"
tags => ["syslog"]
}
}
Which version of logstash are you using?
Also, are you testing this by using snmp traps from a device or are you generating them manually using a utility?
First allow me to say thank you very much for responding to my question. Here is my versions down below:
Logstash Version - 2.3.1 All Plugins (Tar Version)
Elasticsearch Version - 2.3.3 (DEB Version)
Kibana Version - 4.5.1 (DEB Version)
When I first tested the setup, I used netcat to generate 5 snmptrap packets from the host of my VM the first two packets were successful in populating in Kibana with correct information. The last 3 were not, after that I attempted to send snmptrap packets from a Cisco WLC 5500 Series none of these reached Kibana and all produced the "Error handling trap SNMP::BER::OUTOFDATA" messages I showed in my picture above. After that I searched on the internet and attempted to fix it by using
"yamlmibdir => "/opt/logstash/vendor/bundle/jruby/1.9/gems/snmp-1.2.0/data/ruby/snmp/mibs" I still received the OUTOFDATA error message but I was receiving the "Warning Old Mibs are being overwritten message" that appeared in logstash err file. I also have a physical server set up now available for use if there is a known problem with doing this set up in VM's.
End Goal
My end goal with this is to be able to receive SNMPTRAP/Syslogs from around 11 WLC of different series and Syslogs from around 6 Cisco ISE devices and make that data easily manageable and comparable.
This was my set up to read the data although the plugin did not work. In order to get data to that port you ether need to specify the port in the the config by adding " port => 9700 " or you can run logstash as root since in linux the lower ports like 162 which is the default snmptrap port for Cisco devices are reserved for root.
So the two ways I sent data to logstash in order to test this input is but using a Cisco WLC and enabling and disabling and enabling it to create trap logs, or the second was using netcat to send udp packets to my system. "netcat -u host port" but this still did not fix my error.
I was able to successfully read in snmptrap data but using tcpdump to appended the data sent to port 162 to a file and then read that file in by using the file input in logstash and that worked successfully.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.