Cribl LogStream – Docs

Cribl LogStream Documentation

Questions? We'd love to help you! Meet us in #Cribl Community Slack (sign up here)
Download entire manual as PDF - v2.4.4

SNMP Trap

Cribl LogStream supports receiving data from SNMP Traps.

📘

Type: Push | TLS Support: NO | Event Breaker Support: No

Configuring Cribl LogStream to Receive SNMP Traps

Select Data > Sources, then select SNMP Trap from the Data Sources page's tiles or left menu. Click Add New to open the SNMP Trap > New Source pane, which provides the fields outlined below.

👍

LogStream ships with an SNMP Trap Source preconfigured to listen on Port 9162. You can clone or directly modify this Source to further configure it, and then enable it.

General Settings

Input ID: Enter a unique name to identify this Source definition.

Address: Address to bind on. Defaults to 0.0.0.0 (all addresses).

UDP Port: Port on which to receive SNMP traps. Defaults to 162.

Processing Settings

Fields (Metadata)

In this section, you can add fields/metadata to each event using Eval-like functionality.

Name: Field name.

Value: JavaScript expression to compute field's value (can be a constant).

Pre-Processing

In this section's Pipeline drop-down list, you can select a single existing Pipeline to process data from this input before the data is sent through the Routes.

Advanced Settings

IP whitelist regex: Regex matching IP addresses that are allowed to send data. Defaults to .* i.e. all IPs.

Max buffer size (events) : Maximum number of events to buffer when downstream is blocking. Defaults to 1000.

Internal Fields

Cribl LogStream uses a set of internal fields to assist in handling of data. These "meta" fields are not part of an event, but they are accessible, and Functions can use them to make processing decisions.

Fields for this Source:

  • __inputId
  • __snmpVersion: Acceptable values are 0, 2 , 3. Versions: 0=v1, 2=v2c, 3=v3.
  • __srcIpPort: <hostname>|port
  • __snmpRaw: Buffer containing Raw SNMP packet

Considerations for Working with SNMP Trap Data

  • It's possible to work with SNMP metadata (i.e., we'll decode the packet). Options include dropping, routing, etc.

  • SNMP packets can be forwarded to other SNMP destinations. However, the contents of the incoming packet cannot be modified – i.e., we'll forward the packets verbatim as they came in.

  • SNMP packets can be forwarded to non-SNMP destinations (e.g., Splunk, Syslog, S3, etc.).

  • Non-SNMP input data cannot be sent to SNMP destinations.

Updated 4 months ago

SNMP Trap


Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.