[SOLVED] - Snmp trap source :

Hi all,

I have a question about my configuration :

  • snmptrapd.conf
    authCommunity log,execute,net public
    forward default localhost:1062

  • logstash
    input {
    snmptrap {
    type => snmptrap
    port => 1062
    ruby {
    code => "event.to_hash.keys.each { |k| event[ k.gsub('.','_') ] = event.remove(k) if k.include?'.' }"
    output {
    elasticsearch {
    hosts => ['localhost:9200']

And message in Kibana :

<SNMP::SNMPv2_Trap:0x61a6cec1 @request_id=14556, @error_index=0,
@error_status=0, @source_ip="", ...

My problem is that I do not have the IP address of snmp trap agent but the local machine.

For me it's a big problem because I have a lot of element in my network and I want to get the IP address to find out which element generates this trap.

I used tcpdump for understanding what append, when the trap arrived, the source_ip is correct but after the forward default localhost:1062, the source_ip become

Thanks for your help.

Solved the problem under Debian :

Don't use snmptrapd.conf but add a ip table rule :
iptables -t nat -A PREROUTING -p udp --dport 162 -j REDIRECT --to-port 1062