- 区别
Logstash_input_snmp:主动采集方式。需要提供团体名、oid、主机名及端口,主动采集数据
Logstash_input_snmptrap:被动采集方式,安全设备通过snmp发送日志过来,被动采集
- 关键字
团体名(communitystring):对于客户端相当于密码,默认为public,需要自行需改。
OID(对象标识符),是SNMP代理提供的具有唯一标识的键值
MIB(管理信息基):提供数字化OID到可读文本的映射
- 版本选择
snmp版本:5.7.2(centos yum默认版本)
logstash版本:7.15.0(5.0版本不支持)
- 安装步骤
Snmp 安装及配置:
yum install snmp*
后续可能出现部分命令不支持,所以加一步
yum install -y net-snmp-perl net-snmp-utils
配置snmpd.conf(路径:/etc/snmp/snmpd.conf)
# sec.name source community
com2sec notConfigUser default accur
com2sec mynetwork 172.16.1.0/24 accur
####
# Second, map the security name into a group name:
# groupName securityModel securityName
group notConfigGroup v1 notConfigUser
group notConfigGroup v2c notConfigUser
####
# Third, create a view for us to let the group have rights to:
# Make at least snmpwalk -v 1 localhost -c public system fast again.
# name incl/excl subtree mask(optional)
view all included .1.3.6.1.2.1.1
view all included .1.3.6.1.2.1.25.1.1
####
# Finally, grant the group read-only access to the systemview view.
# group context sec.model sec.level prefix read write notif
access notConfigGroup "" any noauth exact all none none
按照上面的配置信息,修改对应项,然后重启
/bin/systemctl restart snmpd.service
测试,可以正常获取信息即可:
snmpwalk -v 2c -c accur 172.16.1.57:161
Logstash 安装及配置:
获取logstash 二进制包
wget https://artifacts.elastic.co/downloads/logstash/logstash-7.15.0-linux-x86_64.tar.gz
解压
tar zxvf logstash-7.15.0-linux-x86_64.tar.gz
添加配置文件(路径:logstash-7.15.0/config/)
snmp.conf配置及说明:
get后面添加oid
host为主机IP和端口
community是团体名,需对应
input {
snmp {
get => ["1.3.6.1.2.1.1.1.0", "1.3.6.1.2.1.1.3.0", "1.3.6.1.2.1.1.5.0"]
hosts => [{host => "udp:172.16.1.57/161" community => "accur"}]
}
}
output {
stdout { codec => rubydebug }
}
snmptrap.conf配置及说明:
community为团体名,需对应
host为本机ip
port端口为大于1024的端口,如果有root权限启动,可以设置为低于1024的端口
input {
snmptrap {
type => "snmp"
community => "accur"
host => "0.0.0.0"
port => "1062"
}
}
output {
stdout { codec => rubydebug }
}
- 采集测试
snmp测试:
logstash的bin目录下执行:
./logstash -f ../config/snmp.conf
观察发现可以自动采集到相关信息:
snmptrap测试:
logstash的bin目录下执行:
./logstash -f ../config/snmptrap.conf
启动完成后,另启页面执行:
snmptrap -v 2c -c accur 172.16.1.57:1062 '' 1.3.6.1.4.1.8072.2.3.0.1 1.3.6.1.4.1.8072.2.3.2.1 i 123456
观察发现可以收集到如下信息: