SNMP Input Plugin Integer Overflow - Logstash - Discuss the Elastic Stack

link管理

链接快照平台

输入网页链接，自动生成快照
标签化管理网页链接

相关文章推荐

读研的豆芽 · 香港地铁九龙塘站 -交通_深圳本地宝· 2 月前 ·

豪情万千的汽水 · django数据库如何用id遍历(2023年 ...· 2 月前 ·

乖乖的啄木鸟 · 精通产品经理运营：构建高效PUSH消息后台· 3 月前 ·

从未表白的围巾 · 贵州磷化（集团）有限责任公司2024年校园招 ...· 5 月前 ·

失望的乌冬面 · 被称为世界火药桶的巴尔干半岛，又出战乱了_澎 ...· 6 月前 ·

Hello everyone!

We are gathering our firewall data from our cisco ASA 5545 via snmp v3.

Now when we query ciscoMemoryPoolFree somewhere an overflow occurs.
Return value:
CISCO-MEMORY-POOL-MIB::ciscoMemoryPoolFree.1 = Gauge32: 4294967295 bytes

When this value gets saved into elasticsearch it is saved as -1.

The mapping in elasticsearch is:

"ciscoMemoryPoolFree": {
"properties": {
"1": {
"type": "long"
"6": {
"type": "long"
"7": {
"type": "long"
"8": {
"type": "long"

It looks like there is an overflow somewhere in the pipeline.

Maybe someone knows more.

Best regards

OK, so you want it to be integer, not long. Which makes sense, since the RFC defines Guage32 to be a non-negative integer...

The Gauge32 type represents a non-negative integer, which may
increase or decrease, but shall never exceed a maximum value, nor
fall below a minimum value. The maximum value can not be greater
than 2^32-1 (4294967295 decimal), and the minimum value can not be
smaller than 0. The value of a Gauge32 has its maximum value
whenever the information being modeled is greater than or equal to
its maximum value

But isnt integer defined as maximum value of 2^31 -1 ?
Like said here:
https://www.elastic.co/guide/en/elasticsearch/reference/current/number.html

So it wouldnt fit into the integer?

mutate {
convert => {
"9.ciscoMemoryPoolMIB.ciscoMemoryPoolObjects.ciscoMemoryPoolTable.ciscoMemoryPoolEntry.ciscoMemoryPoolFree.1" => "integer"

grok { match => [ "9.ciscoMemoryPoolMIB.ciscoMemoryPoolObjects.ciscoMemoryPoolTable.ciscoMemoryPoolEntry.ciscoMemoryPoolFree.1", "%{NUMBER:testconversion:int}" ] }

Nothing works, i still get only -1.
Any tips?

Well my solution for the moment is just.

if [9.ciscoMemoryPoolMIB.ciscoMemoryPoolObjects.ciscoMemoryPoolTable.ciscoMemoryPoolEntry.ciscoMemoryPoolFree.1] == -1 {
mutate {
replace => {
"9.ciscoMemoryPoolMIB.ciscoMemoryPoolObjects.ciscoMemoryPoolTable.ciscoMemoryPoolEntry.ciscoMemoryPoolFree.1" => 4294967295

Not beautiful, but the only thing that works.

It is indeed a bug in the snmp-input plugin.
I wrote a patch and an issue on github.

You can find it here:
github.com/logstash-plugins/logstash-input-snmp

Hello!
In the SNMP specification GAUGE and GAUGE32 are defined as 32bit unsigned integers.
In this plugin however GAUGE AND GAUGE32 are casted...