search

logstash-plugins / logstash-integration-snmp

Logstash Integration Plugin for SNMP, including SNMP input and SNMP Trap Plugins
Apache License 2.0
0 stars 3 forks source link

Convert message field to json string #50

Closed hackery closed 4 months ago

hackery commented 2 years ago

The message field emitted by the plugin is the textual inspect representation of the native Ruby object and a dreadful thing to grok in a pipeline config.

#<SNMP::SNMPv1_Trap:0x554b5b21 @enterprise=[1.3.6.1.4.1.232], @timestamp=#<SNMP::TimeTicks:0x12ef9112 @value=181918000>, @varbind_list=[#<SNMP::VarBind:0x73aa2243 @name=[1.3.6.1.2.1.1.5.0], @value="host1234">, ...], @specific_trap=11020, @source_ip="10.1.1.1", @agent_addr=#<SNMP::IpAddress:0x30474a34 @value="\n\x8E$\f">, @generic_trap=6>

A json string would be a more useful representation, it could immediately be transformed to a json substructure and fields selected from it. Could a config item for format => json or codec => json be added (perhaps with a view to be made the default later)?

OID strings are of course not translated in this context - not a problem for the @varbind_list variable which is extracted to separate fields, but @enterprise also misses out, and possibly other fields. (this could possibly be mapped inside the plugin when transforming, but isn't the main point here)

The plugin could probably extract all these instance variables to named Logstash fields - @enterprise, @timestamp (renamed), @specific_trap etc., not just @varbind_list. That might leave no need for the message field at all. We should also have the option of extracting @varbind_list to a substructure, at the moment there's no option but to place it at top level.

Erikg346 commented 9 months ago

+1

edmocosta commented 4 months ago

Hey there!

We've moved this issue into this new SNMP integration plugin repository, which combines the logstash-input-snmp and logstash-input-snmptrap plugins into one.

In addition to other improvements, we've also changed the message format to a JSON string, and the properties may vary depending on the SNMP PDU version. Example:

{"agent_addr":"192.168.1.40", "generic_trap":6, "specific_trap":15511, "enterprise":"1.3.6.1.2.1.1.1", "variable_bindings":{"1.3.6.1.2.1.1.2.0":"test one", "1.3.6.1.2.1.1.1.0":"test two"}, "type":"V1TRAP", "community":"public", "version":1, "timestamp":1500}

It also adds a few metadata fields (see the list here) that can be added to the Logstash event if needed, for example:

input {
   snmptrap {
       ...
       add_field => { 
          "agent_address" => "%{[@metadata][input][snmptrap][pdu][agent_addr]}"
          "generic_trap" => "%{[@metadata][input][snmptrap][pdu][generic_trap]}"
           ...
       }
   }
}

Before upgrading, please have a look at the migration notes, as the new plugin introduced a few breaking changes compared to individual one. It will be bundled by default with Logstash in a future release (e.g. 8.15 or 8.16).

Thanks!