I'm trying to use the snmptrap input plugin. But after I running the logstash, there is no any data in the output. Is anyone meet the same issue? I want to know how to debug it and make it works. Anyone can help me? Thanks.
My logstash version is logstash 5.4.0. And the snmptrap plugin is automatic install with logstash-input-snmptrap-3.0.2. Server is based on Centos 7 64 bits.
I had generate the yaml file and put it into the directory "/usr/share/logstash/vendor/bundle/jruby/1.9/gems/snmp-1.2.0/data/ruby/snmp/mibs".
My config:
input {
snmptrap {
host => "172.17.6.128"
port => 1062
type => "snmp_trap"
community => "public"
yamlmibdir => "/usr/share/logstash/vendor/bundle/jruby/1.9/gems/snmp-1.2.0/data/ruby/snmp/mibs"
}
output {
stdout {
codec => rubydebug
}
After start the logstash, the server only print the following message and no other data.
“Sending Logstash's logs to /var/log/logstash which is now configured via log4j2.properties”
I had check the port is listened by the logstash. And can see the server receive the snmptrap message via tcpdump. Firewall is disable.
[root@elk ~]# netstat -anp|grep 1062
udp6 0 0 172.17.6.128:1062 :::* 1739/java
Finally I see the logstash logs. There is no error. From the logs we can the logstash can found my MIB and no other useful info.
[2017-07-26T03:24:42,760][INFO ][logstash.pipeline ] Starting pipeline {"id"=>"main", "pipeline.workers"=>40, "pipeline.batch.size"=>125, "pipeline.batch.delay"=>5, "pipeline.max_inflight"=>5000}
[2017-07-26T03:24:42,799][INFO ][logstash.inputs.snmptrap ] checking /usr/share/logstash/vendor/bundle/jruby/1.9/gems/snmp-1.2.0/data/ruby/snmp/mibs for MIBs
[2017-07-26T03:24:42,801][INFO ][logstash.inputs.snmptrap ] found MIBs: CAP-MIB
[2017-07-26T03:24:42,801][INFO ][logstash.pipeline ] Pipeline main started
[2017-07-26T03:24:42,805][INFO ][logstash.inputs.snmptrap ] It's a Trap! {:Port=>1062, :Community=>["public"], :Host=>"172.17.6.128", :MibDir=>"/usr/share/logstash/vendor/bundle/jruby/1.9/gems/snmp-1.2.0/data/ruby/snmp/mibs", :MibModules=>["CAP-MIB"]}
[2017-07-26T03:24:42,848][INFO ][logstash.agent ] Successfully started Logstash API endpoint {:port=>9600}
BTW, I had test it with UDP input and the server can print the message.
udp{
host => "172.17.6.128"
port => 1062
}