Wrong format of MAC address using SNMPTRAP input

rudok · February 11, 2019, 11:44am

Our Logstash output contains "invalid" characters on field containing mac address. Is there any filter how to covert it to readable format?

Thx

logstash output:

{
"HP-ICF-MACNOTIFY-MIB::hpicfMacNotifyFromPortId.0" => "10",
"message" => "#<SNMP::SNMPv1_Trap:0x2139c25e @enterprise=[1.3.6.1.4.1.11.2.14.11.5.1.66], @timestamp=#<SNMP::TimeTicks:0x26f158d3 @value=26775567>, @varbind_list=[#<SNMP::VarBind:0x1bfe0042 @name=[1.3.6.1.4.1.11.2.14.11.5.1.66.1.6.0], @value=#<SNMP::Integer:0x74ba0a51 @value=3>>, #<SNMP::VarBind:0x58a1e3d5 @name=[1.3.6.1.4.1.11.2.14.11.5.1.66.1.7.0], @value="\x00\x13;\x9Bb\x96">, #<SNMP::VarBind:0x2fb5bbbb @name=[1.3.6.1.4.1.11.2.14.11.5.1.66.1.8.0], @value=#<SNMP::Integer:0x4422521f @value=10>>, #<SNMP::VarBind:0x60ee3048 @name=[1.3.6.1.4.1.11.2.14.11.5.1.66.1.9.0], @value=#<SNMP::Integer:0x3786c8cb @value=0>>, #<SNMP::VarBind:0x356cd5e3 @name=[1.3.6.1.4.1.11.2.14.11.5.1.66.1.10.0], @value=#<SNMP::Integer:0x6388cbfb @value=7>>], @specific_trap=1, @source_ip="172.20.7.20", @agent_addr=#<SNMP::IpAddress:0x72f5dbb2 @value="\xAC\x14\a\x14">, @generic_trap=6>",
"HP-ICF-MACNOTIFY-MIB::hpicfMacNotifyToPortId.0" => "0",
"host" => "172.20.7.20",
"@timestamp" => 2019-02-11T11:43:02.979Z,
"@version" => "1",
"HP-ICF-MACNOTIFY-MIB::hpicfMacNotifyMacAddress.0" => "\x00\x13;\x9Bb\x96",
"HP-ICF-MACNOTIFY-MIB::hpicfMacNotifyAction.0" => "3",
"HP-ICF-MACNOTIFY-MIB::hpicfMacNotifyVlanId.0" => "7"
}

rudok · February 11, 2019, 12:53pm

Ok,

I tried to solve my problem using bperian https://github.com/logstash-plugins/logstash-input-snmptrap/pull/25/files ( I edited snmptrap.rb)

output looks OK, we will test this solution.
Thx

Actual output:

{
"@version" => "1",
"message" => "#<SNMP::SNMPv1_Trap:0x26ec1eb2 @enterprise=[1.3.6.1.4.1.11.2.14.11.5.1.66], @timestamp=#<SNMP::TimeTicks:0xbef160a @value=27162568>, @varbind_list=[#<SNMP::VarBind:0x37c0a3c2 @name=[1.3.6.1.4.1.11.2.14.11.5.1.66.1.6.0], @value=#<SNMP::Integer:0x719f3206 @value=3>>, #<SNMP::VarBind:0x2332579 @name=[1.3.6.1.4.1.11.2.14.11.5.1.66.1.7.0], @value="\x00\x13;\x9Bb\x96">, #<SNMP::VarBind:0x2be6ca17 @name=[1.3.6.1.4.1.11.2.14.11.5.1.66.1.8.0], @value=#<SNMP::Integer:0x190ab21a @value=10>>, #<SNMP::VarBind:0x118dac3f @name=[1.3.6.1.4.1.11.2.14.11.5.1.66.1.9.0], @value=#<SNMP::Integer:0xa8e5b9a @value=0>>, #<SNMP::VarBind:0x17a59eae @name=[1.3.6.1.4.1.11.2.14.11.5.1.66.1.10.0], @value=#<SNMP::Integer:0x5bf37422 @value=7>>], @specific_trap=1, @source_ip="172.20.7.20", @agent_addr=#<SNMP::IpAddress:0x2763c737 @value="\xAC\x14\a\x14">, @generic_trap=6>",
"HP-ICF-MACNOTIFY-MIB::hpicfMacNotifyFromPortId.0" => "10",
"HP-ICF-MACNOTIFY-MIB::hpicfMacNotifyAction.0" => "3",
"@timestamp" => 2019-02-11T12:47:33.008Z,
"HP-ICF-MACNOTIFY-MIB::hpicfMacNotifyMacAddress.0" => "00:13:3b:9b:62:96",
"HP-ICF-MACNOTIFY-MIB::hpicfMacNotifyToPortId.0" => "0",
"HP-ICF-MACNOTIFY-MIB::hpicfMacNotifyVlanId.0" => "7",
"host" => "172.20.7.20"
}

system · March 11, 2019, 12:53pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.