logstash snmp trap Received log Characters garbled

[andrewvc]

Moved from elastic/logstash#9211

Original reporter @zjcnew

How can I solve it?

[zjcnew]

Anybody solve it?

[colinsurprenant]

@zjcnew could you please paste the log text and not a screen capture of the log text? This will make it easier to diagnose the problem. Thanks.

[zjcnew]

{
"SNMPv2-SMI::enterprises.3183.1.1.2" => "Unknown",
"message" => "#<SNMP::SNMPv1_Trap:0x58ab871f @enterprise=[1.3.6.1.4.1.3183.1.1], @timestamp=#<SNMP::TimeTicks:0x244958fa @value=1520385722>, @varbind_list=[#<SNMP::VarBind:0x5335c39 @name=[1.3.6.1.4.1.3183.1.1.1], @value="\xFE4\v\x80\xAA\xBE\x11\xE5\x80\x00\x00\x1Eg\xFB\x8C\x9E\x00\x18:b\xF4%\xFF\xFF \x00 \x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xC1\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00">, #<SNMP::VarBind:0x124b0ff @name=[1.3.6.1.4.1.3183.1.1.2], @value="Unknown">, #<SNMP::VarBind:0x6fc4a6a9 @name=[1.3.6.1.4.1.3183.1.1.3], @value="Unspecified">, #<SNMP::VarBind:0x5bfc3c33 @name=[1.3.6.1.4.1.3183.1.1.4], @value="FWCT54410799">, #<SNMP::VarBind:0x44b161e1 @name=[1.3.6.1.4.1.3183.1.1.5], @value="..........">, #<SNMP::VarBind:0x60b682c0 @name=[1.3.6.1.4.1.3183.1.1.6], @value="....................">], @specific_trap=0, @source_ip="172.23.10.111", @agent_addr=#<SNMP::IpAddress:0x2a8d8191 @value="\x00\x00\x00\x00">, @generic_trap=6>",
"@timestamp" => 2018-03-07T01:22:02.473Z,
"SNMPv2-SMI::enterprises.3183.1.1.6" => "....................",
"SNMPv2-SMI::enterprises.3183.1.1.5" => "..........",
"host" => "172.23.10.111",
"SNMPv2-SMI::enterprises.3183.1.1.1" => "\xFE4\v\x80\xAA\xBE\x11\xE5\x80\x00\x00\x1Eg\xFB\x8C\x9E\x00\x18:b\xF4%\xFF\xFF \x00 \x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xC1\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00",
"@Version" => "1",
"SNMPv2-SMI::enterprises.3183.1.1.4" => "FWCT54410799",
"SNMPv2-SMI::enterprises.3183.1.1.3" => "Unspecified"
}

[jerry235000]

I'm met the same issue anyone solved?

[colinsurprenant]

@zjcnew @jerry235000 this looks like a hex encoded binary value. I tried playing with it to see if this can be decoded as a string without success. I would look at your MIB definition to find out what value type you are expecting for this OID.

[kunisen]

do we have any update team?

[maggieghamry]

Also checking to see if there is an update here - this issue is still occurring

[edmocosta]

Hey folks,

We've moved this issue into this new SNMP integration plugin, which combines the logstash-input-snmp and logstash-input-snmptrap plugins into one.

Considering we've switched the underline library from ruby-snmp to snmp4j, I'd suggest you to upgrade to the integration plugin (migration guide) and try it again.

Those garbled values were probably being generated by some received binary/non-printable OctetString value, which seems to be parsed as it's by ruby-snmp (which is weird considering the OID 1.3.6.1.4.1.3183.1.1.1 should be an OBJECT IDENTIFIER). If that's the case, a similar issue will happen with the new plugin as well, but the value will be encoded as a hex-string separated by :. We've open an issue (#54) to allow OctetString to be parsed as ASCII replacing the invalid chars, but that wouldn't help is the value is in fact a binary value defined by the device's manufacturer.

As an alternative, a ruby filter could be used to properly parse those values.