SNMP fails to handle enterpriseSpecific traps

Description

I was watching https://logstash.jira.com/browse/LOGSTASH-1595#icft=LOGSTASH-1595 in hopes it would resolve the issue, however, it did not. I dug into this more and found that the SNMP trap input has problems if it doesn't know how to handle the trap.

In my case, I was trying to get mac address notifications - I did not copy any extra MIB files to be parsed. When the switch sends the trap logstash hard blocks and needs to be killed. Once killed the following error appears multiple times:

Failed to flush outgoing items {
:outgoing_count=>3,
:exception=>#<Encoding::UndefinedConversionError: ""\xE5"" from ASCII-8BIT to UTF-8>,
:backtrace=>[
"org/jruby/RubyString.java:7571:in `encode'",
"json/ext/GeneratorMethods.java:71:in `to_json'",
"file:/opt/logstash/logstash-1.4.0.dev-flatjar.jar!/logstash/event.rb:168:in `to_json'",
"file:/opt/logstash/logstash-1.4.0.dev-flatjar.jar!/logstash/outputs/elasticsearch.rb:322:in `flush'",
"org/jruby/RubyArray.java:1613:in `each'",
"file:/opt/logstash/logstash-1.4.0.dev-flatjar.jar!/logstash/outputs/elasticsearch.rb:310:in `flush'",
"file:/opt/logstash/logstash-1.4.0.dev-flatjar.jar!/stud/buffer.rb:219:in `buffer_flush'",
"org/jruby/RubyHash.java:1338:in `each'",
"file:/opt/logstash/logstash-1.4.0.dev-flatjar.jar!/stud/buffer.rb:216:in `buffer_flush'",
"file:/opt/logstash/logstash-1.4.0.dev-flatjar.jar!/stud/buffer.rb:193:in `buffer_flush'",
"file:/opt/logstash/logstash-1.4.0.dev-flatjar.jar!/stud/buffer.rb:112:in `buffer_initialize'",
"org/jruby/RubyKernel.java:1519:in `loop'",
"file:/opt/logstash/logstash-1.4.0.dev-flatjar.jar!/stud/buffer.rb:110:in `buffer_initialize'"],
:level=>:warn
}

In this case, the \xE5 appears to be related to the MAC address in the SNMP trap.

The trap being sent is the following information:

Operation: Deleted Vlan: 1 MAC Addr: 0009.0fe5.9967 Dot1dBasePort: 31

Attaching the pcap of some traps. Packet 4 triggers the error.

At the very least, logstash should handle the error without blocking, dropping the message with a non-critical error.

Attachments

1
  • 09 Jan 2014, 02:37 AM

Gliffy Diagrams

Activity

Show:

Jason Kendall July 16, 2014 at 2:55 PM

New info from IRC shows this bug is not solved, and the real reason was found.

https://github.com/hallidave/ruby-snmp/issues/33

Jason Kendall May 28, 2014 at 1:38 AM

Seems to be resolved in 1.4.1

Jason Kendall March 13, 2014 at 1:27 AM

Just tested with 2ab6b5cfe835792ff88995195653c55ac56abeed (Basicly RC1) Issue remains dispite d083dcb26433e3707b52fb6274cde347660120c7.

Fixed

Details

Assignee

Reporter

Affects versions

Created January 9, 2014 at 2:37 AM
Updated July 16, 2014 at 2:55 PM
Resolved May 28, 2014 at 1:38 AM