SNMP traps are generally easy to receive and process with logstash. \u00a0The snmptrap{} input<\/a> sets up a listener, which processes each trap and replaces the OIDs with the string representation found in the given mibs. \u00a0If the OID can’t be found, logstash will make a new field, using the OID value as the field name, e.g.<\/p>\n (Note that this is currently broken<\/a> if you use Elasticsearch 2.0).<\/p>\n Probably the biggest issues with most traps is that they are sent to port 162, which is a low-numbered “system” port. \u00a0For logstash to listen on that port, it must be run as root, which is not recommended.<\/p>\n The easiest workaround for this is to forward port 162 to a higher-numbered port to which logstash can connect. \u00a0iptables is the typical tool to perform the forwarding:<\/p>\n where ‘5000’ is the port on which logstash is listening.<\/p>\n Some SNMP traps come in with a “sequence number”, which allows the receiver to know if all traps have been received. \u00a0In the ones we’ve seen, the sequence is appended to each OID, e.g.<\/p>\n where “90210” is the sequence number.<\/p>\n This seems like a handy feature, but it doesn’t appear to be supported by logstash (or perhaps the underlying SNMP library that is uses). \u00a0With the basic snmptrap config, logstash is unable to apply the mib definition and remove the sequence number, so you end up with a new field for each trap value. \u00a0That’s not good for you or for elasticsearch\/kibana.<\/p>\n Since traps aren’t just simple plain text, you can’t use a “tcp” listener, apply your own filter to remove the sequence, and feed the result back into logstash’s “snmptrap” mechanism. \u00a0Without modifying the snmptrap input plugin, you have to fix the problem before it hits logstash.<\/p>\n I was a fan of logstash plugins (and have written a few), but logstash 1.5 requires everything to be done as ruby gems, which has been a painful path. \u00a0As such, I’m doing more outside of logstash, like this recommendation.<\/p><\/blockquote>\n We’re now running snmptrapd on our logstash machines. \u00a0They listen for traps on port 162 and write them to a regular log file that can then be read by logstash.<\/p>\n Update \/etc\/snmp\/snmptrapd.conf to include:<\/p>\n Put your mib definitions in\/usr\/share\/snmp\/mibs.<\/p>\n To make the traps easier to process by logstash, I format the output as json. \u00a0This is done with OPTIONS set in \/etc\/sysconfig\/snmptrapd:<\/p>\n The flags used are:<\/p>\n Then, in logstash, use the json filter:<\/p>\n I use a ruby filter to make the separate fields and cast them to the correct type.<\/p>\n Don’t forget to setup a log file rotation on your new \/var\/log\/snmptrap file and setup a process monitor for snmptrapd.<\/p>\n <\/p>\n","protected":false},"excerpt":{"rendered":" The Basics SNMP traps are generally easy to receive and process with logstash. \u00a0The snmptrap{} input sets up a listener, which processes each trap and replaces the OIDs with the string representation found in the given mibs. \u00a0If the OID … Continue reading \"1.3.6.1.4.1.1234.1.2.3.4\": \"trap value\"<\/pre>\n
Forwarding<\/h1>\n
\/sbin\/iptables -A PREROUTING -t nat -i eth0 -p udp --dport 162 -j REDIRECT --to-port\u00a05000<\/pre>\n
SNMP Sequences<\/h1>\n
\"1.3.6.1.4.1.1234.1.2.3.4.90210\": \"trap value\"<\/pre>\n
snmptrapd<\/h1>\n
Basic config<\/h2>\n
disableAuthorization yes<\/pre>\n
Trap formatting<\/h2>\n
OPTIONS=\"-A -Lf \/var\/log\/snmptrap -p \/var\/run\/snmptrapd.pid -m ALL -F '{ \\\"type\\\": \\\"snmptrap\\\", \\\"timestamp\\\": \\\"%04y-%02m-%02l %02h:%02j:%02k\\\", \\\"host_ip\\\":\\\"%a\\\", \\\"trapEnterprise\\\": \\\"%N\\\", \\\"trapSubtype\\\": \\\"%q\\\", \\\"trapType\\\": %w, \\\"trapVariables\\\": \\\"%v\\\" }\\n' \"<\/pre>\n\n
filter {\r\n json {\r\n source => \"message\"\r\n }\r\n}<\/pre>\n