Snmptrap input

Virkel · June 1, 2016, 3:12pm

Hello,

I am currently attempting to configure snmptrap input for my elk server on a VM, I'm new to elk and only been working with it for about two weeks now. My configuration is below:

input {
snmptrap {
port => 162
type => "snmptrap"
community => "public"
#yamlmibdir => "/opt/logstash/vendor/bundle/jruby/1.9/gems/snmp-1.2.0/data/ruby/snmp/mibs"

}
syslog {
port => 516
type => "syslog"
tags => ["syslog"]
}
}

filter {

}

output {
stdout {}
elasticsearch {hosts => ["localhost:9200"]}
}

Ends the config file

When I send snmp traffic my machine recieves it but then out puts the error below in the /var/log/logstash/logstash.stdout file

Does anyone know how to fix this error message I can't find anything online about it.

Jeremy_Falling · June 2, 2016, 9:50am

Which version of logstash are you using?
Also, are you testing this by using snmp traps from a device or are you generating them manually using a utility?

/Jeremy

Virkel · June 2, 2016, 12:15pm

Hello Jeremy,

First allow me to say thank you very much for responding to my question. Here is my versions down below:

Logstash Version - 2.3.1 All Plugins (Tar Version)
Elasticsearch Version - 2.3.3 (DEB Version)
Kibana Version - 4.5.1 (DEB Version)

When I first tested the setup, I used netcat to generate 5 snmptrap packets from the host of my VM the first two packets were successful in populating in Kibana with correct information. The last 3 were not, after that I attempted to send snmptrap packets from a Cisco WLC 5500 Series none of these reached Kibana and all produced the "Error handling trap SNMP::BER::OUTOFDATA" messages I showed in my picture above. After that I searched on the internet and attempted to fix it by using
"yamlmibdir => "/opt/logstash/vendor/bundle/jruby/1.9/gems/snmp-1.2.0/data/ruby/snmp/mibs" I still received the OUTOFDATA error message but I was receiving the "Warning Old Mibs are being overwritten message" that appeared in logstash err file. I also have a physical server set up now available for use if there is a known problem with doing this set up in VM's.

End Goal

My end goal with this is to be able to receive SNMPTRAP/Syslogs from around 11 WLC of different series and Syslogs from around 6 Cisco ISE devices and make that data easily manageable and comparable.

jerrac · June 7, 2016, 9:12pm

Did you ever figure this out? I've been looking into something similar.

How did you send snmp info to logstash? I've been trying to test the snmptrap input, but I haven't figured out how to actually send data to it...

Virkel · June 7, 2016, 10:20pm

Unfortunately no I have not figured it out fully. I found a work around I'll explain later.

In order to get information to my logstash I used the snmptrap plugin

input {
snmptrap {
port => 162
type => "snmptrap"
community => "public"

}}

filter {

}

output {
stdout {}
elasticsearch {hosts => ["localhost:9200"]}
}

This was my set up to read the data although the plugin did not work. In order to get data to that port you ether need to specify the port in the the config by adding " port => 9700 " or you can run logstash as root since in linux the lower ports like 162 which is the default snmptrap port for Cisco devices are reserved for root.

So the two ways I sent data to logstash in order to test this input is but using a Cisco WLC and enabling and disabling and enabling it to create trap logs, or the second was using netcat to send udp packets to my system. "netcat -u host port" but this still did not fix my error.

I was able to successfully read in snmptrap data but using tcpdump to appended the data sent to port 162 to a file and then read that file in by using the file input in logstash and that worked successfully.