What OIDs should I use when monitoring routers and switches?

jerrac · October 11, 2019, 11:07pm

I'm in the middle of testing to see if we can monitor everything we need to monitor via Elastic Stack. Linux servers have been easy enough to deal with due to Beats, but our networking infrastructure has proven a bit more of a challenge. As far as I can tell, the best (possibly only) way is via SNMP.

To do that, the obvious tool in the Elastic Stack seems to be Logstash SNMP input plugin.

The thing is, I need to know which OID's to use.

Has anyone already solved this problem? Would you be willing to share?

Do you know of a good OID reference? Most of the sites I've found via Google on the subject have been difficult to navigate.

Our infrastructure is mostly Cisco. There are a few HP items thrown in there as well. When I talked to my coworker in charge of it, he listed a few ip addresses and what (I think) are model names that I could use to test with.

The names:

C9k2
N9K
CoreBB-Catylist
2960-ios
HP -Access Control

Another thought, is there a scanning tool that I could use to discover what OID's are available from our infrastructure? Something that would output the OID and what the data actually means.

Thanks in advance!

jerrac · November 7, 2019, 1:01am

Well, after much hassle, I finally am able to access snmp on the devices I'm testing.

Now I just need to figure out what OID's to use.

I found some slides on community.cisco.com that list some usful OIDs, but when I try 1.3.6.1.2.1.1.3 or 1.3.6.1.4.1.9.2.2.1.1.17 logstash throws an error.

A manual run of snmpwalk with both of those oid's against my target does return data.

I'm running logstash via docker-compose. Version 7.4.1.

My current pipeline config:

input {
  snmp {
    get => [
      "1.3.6.1.2.1.1.3",
      "1.3.6.1.4.1.9.2.2.1.1.17" 
    ]
    hosts => [
      { host => "udp:targetip/161" community => "blah" version => "2c"}
    ]
  }
}
output {
  stdout {}
}

What I get in my output:

nodename_logstash | {
nodename_logstash |                                                  "@version" => "1",
nodename_logstash |     "iso.org.dod.internet.private.enterprises.9.2.2.1.1.17" => "error: no such instance currently exists at this OID",
nodename_logstash |                                                "@timestamp" => 2019-11-07T00:54:23.170Z,
nodename_logstash |          "iso.org.dod.internet.mgmt.mib-2.system.sysUpTime" => "error: no such instance currently exists at this OID",
nodename_logstash |                                                      "host" => "targetip"
nodename_logstash | }

Does that indicate that I need to import some MIB files?

The docs talk about having to convert them to another format. Any idea where I'd find the MIB files for Cisco stuff?

Thanks.

Badger · November 7, 2019, 4:21pm

I think you are confusing get and walk. You can

walk => [ ".1.3.6.1.2.1.25.1.1" ]

or you can

get => [ ".1.3.6.1.2.1.25.1.1.0" ]

but if you try to

get => [ ".1.3.6.1.2.1.25.1.1" ]

you will get "error: no such instance currently exists at this OID"

jerrac · November 7, 2019, 6:30pm

Thanks @Badger, I hadn't thought to look into the differences between get and walk. Now I just need to figure out which oids work.

jerrac · November 15, 2019, 11:33pm

Just for the record, I have successfully started importing this list of OID's into my elasticsearch stack.

1.3.6.1.4.1.9.9.48.1.1.1.5	ciscoMemoryPoolUsed
1.3.6.1.4.1.9.9.48.1.1.1.6	ciscoMemoryPoolFree
1.3.6.1.2.1.1.3	sysUpTime
1.3.6.1.4.1.9.9.109.1.1.1.1.25	cpmCPULoadAvg5min
1.3.6.1.4.1.9.9.109.1.1.1.1.24	cpmCPULoadAvg1min
1.3.6.1.4.1.9.9.109.1.1.1.1.26	cpmCPULoadAvg15min
1.3.6.1.4.1.9.2.2.1.1.26	locIfInputQueueDrops
1.3.6.1.4.1.9.2.2.1.1.27	locIfOutputQueueDrops
1.3.6.1.2.1.2.2.1.10	ifInOctets
1.3.6.1.2.1.2.2.1.16	ifOutOctets
1.3.6.1.2.1.2.2.1.13	ifInDiscards
1.3.6.1.2.1.2.2.1.19	ifOutDiscards
1.3.6.1.2.1.31.1.1.1.6	ifHCInOctets
1.3.6.1.2.1.31.1.1.1.10	ifHCOutOctets
1.3.6.1.2.1.2.2.1.14	ifInErrors
1.3.6.1.2.1.2.2.1.20	ifOutErrors
1.3.6.1.2.1.2.2.1.11	ifInUcastPkts
1.3.6.1.2.1.2.2.1.17	ifOutUcastPkts
1.3.6.1.2.1.31.1.1.1.2	ifInMulticastPkts
1.3.6.1.2.1.31.1.1.1.3	ifInBroadcastPkts
1.3.6.1.2.1.31.1.1.1.1	ifName

Now I just need to work at turning the data into something useful.

Badger · November 16, 2019, 3:11am

This reminds me that I meant to leave a comment before, not for you, but for future readers, that doing a walk once at a very high level like "1.3.6.1" will get a dump of what you can collect, so that you can start to review what might be useful.

system · December 14, 2019, 3:11am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.