SNMP Integration Plugin
editSNMP Integration Plugin
edit- Plugin version: v4.0.0
- Released on: 2024-05-03
- Changelog
This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.
Description
editThe SNMP integration plugin includes:
- SNMP input plugin
- SNMPtrap input plugin
The new logstash-integration-snmp
plugin combines the
logstash-input-snmp
and logstash-input-snmptrap
plugins into a single Ruby gem.
This integrated plugin package provides better alignment in SNMP processing behavior, improved resource management, easier package maintenance, and a smaller installation footprint.
The individual plugins now share the same code base and have been refactored to leverage the latest version of SNMP4j.
Migrating to logstash-integration-snmp
from individual plugins
editYou’ll retain the functionality of existing stand-alone plugins, but with a more consistent experience and expanded features. In this section, we’ll note mapping and behavioral changes, and explain how to preserve current behavior if needed.
Migration notes: logstash-input-snmp
editAs a component of the new logstash-integration-snmp
plugin, the logstash-input-snmp
plugin offers the same
capabilities as the stand-alone logstash-input-snmp.
Given the underlying code refactor to better align snmp and snmptrap plugin behavior, you might need to address some changes depending on your use case and how the ingested data is being handled through the pipeline.
Changes to mapping and error logging: logstash-input-snmp
edit-
No such instance errors are mapped as
error: no such instance currently exists at this OID string
instead ofnoSuchInstance
. -
No such object errors are mapped as
error: no such object currently exists at this OID string
instead ofnoSuchObject
. -
End of MIB view errors are mapped as
error: end of MIB view
instead ofendOfMibView
. -
An unknown variable type falls back to the
string
representation instead of logging an error as it did in with the stand-alonelogstash-input-snmp
. This change should not affect existing pipelines, unless they have custom error handlers that rely on specific error messages.
Migration notes: logstash-input-snmptrap
editAs a component of the new logstash-integration-snmp
plugin, the logstash-input-snmptrap
plugin offers almost the same
capabilities as the stand-alone logstash-input-snmp plugin.
You might need to address some behavior changes depending on your use case and how the ingested data is being handled through the pipeline.
Changes to mapping and error logging: logstash-input-snmptrap
edit-
The PDU variable bindings are mapped into the Logstash event using the defined data type.
By default, the stand-alone
logstash-input-snmptrap
plugin converts all of the data tostring
, ignoring the original type. If this behavior is not what you want, you can use a filter to retain the original type. -
SNMP
TimeTicks
variables are mapped asLong
timestamps instead of formatted date string (%d days, %02d:%02d:%02d.%02d
). -
null
variables values are mapped using the stringnull
instead ofNull
(upper-case N). -
No such instance errors are mapped as
error: no such instance currently exists at this OID string
instead ofnoSuchInstance
. -
No such object errors are mapped as
error: no such object currently exists at this OID string
instead ofnoSuchObject
. -
End of MIB view errors are mapped as
error: end of MIB view
instead ofendOfMibView
. -
The previous generation (stand-alone) input-snmptrap plugin formatted the
message
field as a ruby-snmpSNMP::SNMPv1_Trap
object representation.<SNMP::SNMPv1_Trap:0x6f1a7a4 @varbind_list=[#<SNMP::VarBind:0x2d7bcd8f @value="teststring", @name=[1.11.12.13.14.15]>], @timestamp=#<SNMP::TimeTicks:0x1af47e9d @value=55>, @generic_trap=6, @enterprise=[1.2.3.4.5.6], @source_ip="127.0.0.1", @agent_addr=#<SNMP::IpAddress:0x29a4833e @value="test">, @specific_trap=99>
The new integrated
input-snmptrap
plugin uses JSON to formatmessage
field.{"error_index":0, "variable_bindings":{"1.3.6.1.6.3.1.1.4.1.0":"SNMPv2-MIB::coldStart", "1.3.6.1.2.1.1.3.0":0}, "error_status":0, "type":"TRAP", "error_status_text":"Success", "community":"public", "version":"2c", "request_id":1436216872}
Maintain maximum compatibility with previous implementation
editIf needed, you can configure the new logstash-integration-snmp
plugin to maintain maximum compatibility with the previous (stand-alone)
version of the input-snmp plugin.
input { snmptrap { use_provided_mibs => false oid_mapping_format => 'ruby_snmp' oid_map_field_values => true } }