Skip to content

generated events fields using MIBs #3

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
colinsurprenant opened this issue Apr 24, 2018 · 9 comments
Closed

generated events fields using MIBs #3

colinsurprenant opened this issue Apr 24, 2018 · 9 comments
Assignees
@colinsurprenant

Comments

@colinsurprenant
Copy link
Contributor

colinsurprenant commented Apr 24, 2018
edited
Loading

I would like feedback on the current strategy for the generated event fields when using MIBs.

  • In this initial version we basically only support scalar values and we have no added logic for structuring MIB objects such as table in the event. These will be created linearly as originally generated, for now.

  • The field names will be formatted using what is provided in the MIB and what is not defined in the MIB will be prepended or appended as the OID numeric parts.

Here's an example, polling for these 3 OIDs ["1.3.6.1.2.1.1.1.0", "1.3.6.1.2.1.1.3.0", "1.3.6.1.2.1.1.5.0"]

  • Without providing a MIB results in this event:
{
           "@timestamp" => 2018-04-24T22:16:00.095Z,
             "@version" => "1",
    "1.3.6.1.2.1.1.1.0" => "Darwin mbp15r.local 16.7.0 Darwin Kernel Version 16.7.0: Tue Jan 30 11:27:06 PST 2018; root:xnu-3789.73.11~1/RELEASE_X86_64 x86_64",
    "1.3.6.1.2.1.1.3.0" => 76370966,
    "1.3.6.1.2.1.1.5.0" => "mbp15r.local"
}
  • Providing a RFC1213-MIB results in this event:
{
                              "@version" => "1",
      "1.3.6.1.2.mib-2.system.sysName.0" => "mbp15r.local",
     "1.3.6.1.2.mib-2.system.sysDescr.0" => "Darwin mbp15r.local 16.7.0 Darwin Kernel Version 16.7.0: Tue Jan 30 11:27:06 PST 2018; root:xnu-3789.73.11~1/RELEASE_X86_64 x86_64",
    "1.3.6.1.2.mib-2.system.sysUpTime.0" => 76384550,
                            "@timestamp" => 2018-04-24T22:18:15.968Z
}

Here we see that the 1.3.6.1.2 root prefix is included in the field name. Is that desirable? Should we always strip it? or offer the option to strip it?

The .0 suffix for scalar values is also included. Is that desirable? Should we always strip it? or offer the option to strip it?
@colinsurprenant colinsurprenant mentioned this issue Apr 24, 2018
Open
24 tasks
@robgil
Copy link

robgil commented Apr 24, 2018

The root prefix is interesting. I'd consider it undesirable and try to match the snmpwalk/snmpget output as much as possible for v1. That said, I'm glad to see resolution in v1!

If I specify a partial oid, will it traverse the tree? Ex '1.3.6.1.2.1.1'. Or does it only accept leaf oids?

@robgil
Copy link

robgil commented Apr 24, 2018

Sorry, missed the PR. Its looking pretty good. Let me know when its ready for testing. I'm going to test against the network mib and see if I can pull all the counters. Even without auto-discovery, it will be super handy for fixed routers and other network devices that don't change (VPNs).

@colinsurprenant
Copy link
Contributor Author

@robgil you can specify any OID as the root to walk its subtree using the walk option such as

input {
  snmp {
    walk => ["1.3.6.1.2.1.1"]
    mib_paths => ["path/to/RFC1213-MIB.dic"]
    hosts => [{host => "udp:127.0.0.1/161" community => "public"}]
  }
}

and this would produce

{
          "1.3.6.1.2.mib-2.system.9.1.2.3" => "1.3.6.1.6.3.10.3.1.1",
          "1.3.6.1.2.mib-2.system.9.1.3.4" => "The MIB module for SNMPv2 entities",
          "1.3.6.1.2.mib-2.system.9.1.4.7" => 24,
          "1.3.6.1.2.mib-2.system.9.1.2.5" => "1.3.6.1.2.1.49",
    "1.3.6.1.2.mib-2.system.sysServices.0" => 76,
          "1.3.6.1.2.mib-2.system.9.1.4.2" => 23,
          "1.3.6.1.2.mib-2.system.9.1.4.5" => 24,
         "1.3.6.1.2.mib-2.system.9.1.4.10" => 25,
          "1.3.6.1.2.mib-2.system.9.1.3.6" => "The MIB module for managing IP and ICMP implementations",
        "1.3.6.1.2.mib-2.system.sysName.0" => "mbp15r.local",
         "1.3.6.1.2.mib-2.system.9.1.3.10" => "The MIB module for logging SNMP Notifications.",
          "1.3.6.1.2.mib-2.system.9.1.2.1" => "1.3.6.1.6.3.11.2.3.1.1",
          "1.3.6.1.2.mib-2.system.9.1.2.2" => "1.3.6.1.6.3.15.2.1.1",
     "1.3.6.1.2.mib-2.system.sysContact.0" => "Administrator <[email protected]>",
          "1.3.6.1.2.mib-2.system.9.1.3.3" => "The SNMP Management Architecture MIB.",
          "1.3.6.1.2.mib-2.system.9.1.4.9" => 24,
                              "@timestamp" => 2018-04-25T00:00:15.812Z,
          "1.3.6.1.2.mib-2.system.9.1.2.7" => "1.3.6.1.2.1.50",
          "1.3.6.1.2.mib-2.system.9.1.4.3" => 23,
          "1.3.6.1.2.mib-2.system.9.1.3.1" => "The MIB for Message Processing and Dispatching.",
    "1.3.6.1.2.mib-2.system.sysLocation.0" => "Right here, right now.",
          "1.3.6.1.2.mib-2.system.9.1.2.4" => "1.3.6.1.6.3.1",
    "1.3.6.1.2.mib-2.system.sysObjectID.0" => "1.3.6.1.4.1.8072.3.2.255",
          "1.3.6.1.2.mib-2.system.9.1.2.8" => "1.3.6.1.6.3.16.2.2.1",
         "1.3.6.1.2.mib-2.system.9.1.2.10" => "1.3.6.1.2.1.92",
          "1.3.6.1.2.mib-2.system.9.1.3.2" => "The MIB for Message Processing and Dispatching.",
                                "@version" => "1",
          "1.3.6.1.2.mib-2.system.9.1.3.7" => "The MIB module for managing UDP implementations",
          "1.3.6.1.2.mib-2.system.9.1.3.9" => "The MIB modules for managing SNMP Notification, plus filtering.",
          "1.3.6.1.2.mib-2.system.9.1.4.6" => 24,
          "1.3.6.1.2.mib-2.system.9.1.2.9" => "1.3.6.1.6.3.13.3.1.3",
          "1.3.6.1.2.mib-2.system.9.1.3.8" => "View-based Access Control Model for SNMP.",
          "1.3.6.1.2.mib-2.system.9.1.4.1" => 23,
          "1.3.6.1.2.mib-2.system.9.1.4.8" => 24,
          "1.3.6.1.2.mib-2.system.9.1.2.6" => "1.3.6.1.2.1.4",
          "1.3.6.1.2.mib-2.system.9.1.4.4" => 24,
              "1.3.6.1.2.mib-2.system.8.0" => 25,
          "1.3.6.1.2.mib-2.system.9.1.3.5" => "The MIB module for managing TCP implementations",
      "1.3.6.1.2.mib-2.system.sysUpTime.0" => 76996527,
       "1.3.6.1.2.mib-2.system.sysDescr.0" => "Darwin mbp15r.local 16.7.0 Darwin Kernel Version 16.7.0: Tue Jan 30 11:27:06 PST 2018; root:xnu-3789.73.11~1/RELEASE_X86_64 x86_64"
}

@robgil
Copy link

robgil commented Apr 25, 2018

@colinsurprenant perfect! I'll give this a try tomorrow against some test boxes and perhaps one of our network devices.

@colinsurprenant
Copy link
Contributor Author

@robgil I am not sure I understand

The root prefix is interesting. I'd consider it undesirable and [...]

Did you mean "The root prefix is UNinteresting" ?

@robgil
Copy link

robgil commented Apr 25, 2018

@colinsurprenant I haven't run an snmpwalk in a while, but iirc it looks more like system.sysName.0 vs. 1.3.6.1.2.mib-2.system.sysName.0. I'll take a look tomorrow.

@colinsurprenant
Copy link
Contributor Author

yeah ... I think I'll add something like a strip_root_prefix true/false option or maybe the dept to strip. It is pretty useless and redundant.

@colinsurprenant
Copy link
Contributor Author

I just added the oid_root_skip option. it defaults to 0 but if you set it to 6 for example, event fields will be system.sysName.0.

@colinsurprenant colinsurprenant self-assigned this Apr 27, 2018
@colinsurprenant
Copy link
Contributor Author

I'll close this issue, I merged the above option to strip the prefix, we can reopen if needed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@colinsurprenant colinsurprenant

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@colinsurprenant @robgil