Unable to get snmptrap working with logstash - logstash

I am trying to get the snmptrap input working with logstash. I am starting logstash as root initially because I want to make sure this works before changing ports. I am also using the local computer for SNMP because I thought that world be easier to start. When I use port 161 I get the “SNMP Trap listener died” error. If I change to port 162 I get no error, but no data. If I point to a server that does not exist I also get the SNMP Trap listener died error on any port. I believe it should be port 161, but I may be wrong.
Logstash works if I use a different input. I eventually want the output to go to graphite and that works too with different input.
Do I have something misconfigured? Is there some permission thing that could be causing a problem even though I am running as root and everything is on the same machine?
Thanks for any help.
This is my .conf file:
input {
snmptrap {
host => "127.0.0.1"
community => "public"
port => "161"
type => "snmp_trap"
}
}
output {
stdout { codec => rubydebug }
}
This is the partial result of snmpwalk locally:
snmpwalk -mAll -v1 -cpublic 127.0.0.1:161
iso.3.6.1.2.1.1.2.0 = OID: iso.3.6.1.4.1.8072.3.2.10
iso.3.6.1.2.1.1.3.0 = Timeticks: (7218152) 20:03:01.52
This is netstat:
root#lab-graphite:~# netstat -lpn | grep snmp
udp 0 0 127.0.0.1:161 0.0.0.0:* 43559/snmpd
udp 0 0 0.0.0.0:54155 0.0.0.0:* 43559/snmpd
unix 2 [ ACC ] STREAM LISTENING 2593117 43559/snmpd /var/agentx/master
This is the full error message:
SNMP Trap listener died {:exception=>#<SocketError: bind: name or service not known>, :backtrace=>["org/jruby/ext/socket/RubyUDPSocket.java:160:in `bind'", "/opt/logstash/vendor/bundle/jruby/1.9/gems/snmp-1.2.0/lib/snmp/manager.rb:540:in `initialize'", "/opt/logstash/vendor/bundle/jruby/1.9/gems/snmp-1.2.0/lib/snmp/manager.rb:585:in `create_transport'", "/opt/logstash/vendor/bundle/jruby/1.9/gems/snmp-1.2.0/lib/snmp/manager.rb:618:in `initialize'", "/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-input-snmptrap-2.0.4/lib/logstash/inputs/snmptrap.rb:74:in `build_trap_listener'", "/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-input-snmptrap-2.0.4/lib/logstash/inputs/snmptrap.rb:78:in `snmptrap_listener'", "/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-input-snmptrap-2.0.4/lib/logstash/inputs/snmptrap.rb:53:in `run'", "/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-core-2.3.2-java/lib/logstash/pipeline.rb:342:in `inputworker'", "/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-core-2.3.2-java/lib/logstash/pipeline.rb:336:in `start_input'"], :level=>:warn}

In .conf file "host" parameter stands for ip address or hostname of computer running logstash. If you are going to receive snmp traps from external world sources it should not be localhost (127.0.0.1). It is OK for local setup tests though.
As already mentioned in comment, default snmptrap port is 162 (and there is no reason to change it in your setup).
Also, since netstat shows that there is snmpd running and it listens to udp port 161, your logstash won't be allowed to bind to the same port 161.
`snmpwalk` is not the right way to test your setup (it actually polls snmpd daemon on port 161) - it is `snmptrap` command that will send trap to your logstash input. For example,
`snmptrap -v1 -c public 127.0.0.1 .1.3 i 0 123456780 127.0.0.1 0 .1.3.6 i 12345`
You can also run tcpdump port 162 as root to check that snmptrap is sending packets to target at 127.0.0.1:162 .
(here 127.0.0.1 is the host address used in logstash .conf below).
So, for local test use
`snmptrap {
host => "127.0.0.1"
community => "public"
port => "162"
type => "snmp_trap"
}
}`

I was using the SNMPTRAP input, but expecting it to work like a regular SNMP get. It was actually working, but no traps were being sent.

Related

Linux/MacOs - Know which process filter UDP 443 packets

Is there a way, on Linux / MacOs to find which process is filtering my UDP packets on a specific port ?
Here some details and why I'm asking:
On my MacOs ( Mojave 10.14) , if I try to send a UDP packet to any address ( DNS resolves correctly) to port 443, I cannot see anything leaving my laptop ( using tcpdump)
If I do the exact same test but for a different port , for instance 444, I can see the packet leaving ( on tcpdump).
There is a process which is filtering UDP packet to port 443 and I want to know which process it is ( Firewall disabled on my mac).
The exact commands I'm using for my tests :
sudo tcpdump udp port 443
nc -u IPADDRESS 443
I type something stuff here..
==> I cannot see anything going through
sudo tcpdump udp port 444
nc -u IPADDRESS 444
I type something stuff here..
==> I can see a datagram leaving my interface
I know this can be tricky to find which process might be filtering this port.. If anyone has an idea, would be great.
I would not want to rely on the method ' Kill everything until it works'

Linux port blocked - This site can't be reached, refused to connect

I set my linux as an access point, and then run simple web-server that print "hello world" at port 3000.
and connect it with my smart phone successfully.
in linux terminal, http://localhost:3000 works well.
But in smart phone,
If I access to http://172.24.1.105:3000, can't connect to it. (172.24... is ap's ip)
the chrome's error message is
This site can't be reached. 172.24.1.105 refused to connect
I searched Google (https://serverfault.com/questions/725262/what-causes-the-connection-refused-message) and I suspicious linux's firewall.
pi#raspberrypi:~/prj/ap_server $ sudo tcpdump -n icmp
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
... when I access to port 3000,
15:07:13.102750 IP 192.168.0.3 > 168.126.63.2: ICMP 192.168.0.3 udp port 42531 unreachable, length 386
the log is above. so I couldn't reach ap's webserver.
so I wonder two things...
1. How can I disable to its port block?
2. in tcpdump log, I access to port 3000 actually, why the log print port 42531?
Plus)
even I type sudo service iptables stop, the problem is not solved
sudo netstat -ntlp | grep 3000 logs:
**tcp6 0 0 :::3000 :::* LISTEN 1999/nodejs**
+I followed this tutorial-> https://frillip.com/using-your-raspberry-pi-3-as-a-wifi-access-point-with-hostapd/ .
and there is ipv4 setting.
If you want to run it on your mobile it will work on Live IP (externel) address
if it is working fine on local address (localhost) and not on live IP then
enable routing from your router
and allow that specific port it will work fine.
I found the issue.
my dhcp set was
interface=wlan0 # Use interface wlan0
listen-address=172.24.1.1 # Explicitly specify the address to listen on
bind-interfaces # Bind to the interface to make sure we aren't sending things elsewhere
server=8.8.8.8 # Forward DNS requests to Google DNS
domain-needed # Don't forward short names
bogus-priv # Never forward addresses in the non-routed address spaces.
dhcp-range=172.24.1.50,172.24.1.150,12h # Assign IP addresses between 172.24.1.50 and 172.24.1.150 with a 12 hour lease time
like above.
I tried to connect the external ip(172.24.1.105) that I can see on mobile continuously but got failed. but when I tried with 172.24.1.1, then success.
I don't know why. maybe there is accurate ip address and something in mobile is temporal.
See similar topic at Node JS not listening to port 1337 on server
Your web server is not listening remote address.

I cant connect to my Amazon ec2 running nodejs using tcp

Hi all I have created an Ubuntu EC2 instance and have installed nodejs on it. Am running a simple node js script (which IS running and not throwing any errors:
var net = require('net');
var server = net.createServer(function (socket) {
socket.write("from server\r\n");
socket.pipe(socket);
});
server.listen(8000, "localhost");
console.log("TCP server listening on port 8000 at localhost.");
to test this, (am on windows) I am running a program called hercules to attempt a tcp connection, but it always comes back with tcp connection error: 10061
and the IP address can't be pinged either.
My ec2's IP address is 54.76.31.140. I have added an inbound tcp:8000 0.0.0.0 rule to my security group in the aws console and I have added hercules to my windows firewall and avg exceptions. I have also added an exception to my home dsl router and finally I have checked the ubuntu iptables there are no rules set.
Pls help, I can't seem to find whats wrong here.
If you tell the server to listen on "localhost," that's the only place it will listen -- "localhost" -- the loopback interface, 127.0.0.1, which is only accessible from... the local host.
Remove the 2nd argument to server.listen().
http://nodejs.org/api/net.html#net_server_listen_port_host_backlog_callback
If you want to be able to ping your instance, you have to allow ICMP in the security group.
Also, before you fix it, and after, run this, and note the difference in output:
$ netstat -a -n | grep 8000 | grep -i tcp

The controller is not available at localhost JBOSS.7.1.1.FINAL

When i run the jboss-cli.sh,
I get this message.
[root bin]# sh jboss-cli.sh
You are disconnected at the moment. Type 'connect' to connect to the server or 'help' for the list of supported commands.
[disconnected /] connect localhost
The controller is not available at localhost:9999
[disconnected /] connect
The controller is not available at localhost:9999
[disconnected /] connect localhost:9999
The controller is not available at localhost:9999
[disconnected /]
Also i have another installation of jboss5 GA. I hope that is not interfering.
Although that is totally shut down for now.
Native management interface is :9999 in standalone.sh
Please throw light on this issue.
#
EDITED
#
When i stop my service with "service jboss stop"
i get this message
[root# bin]# *** JBossAS process (7302) received KILL signal ***
grep: /var/run/jboss-as/jboss-as-standalone.pid: No such file or directory
I Dont know how to check whether server is listening on the port 9999 or not.
Few more details
[root bin]# netstat -anp |grep 9999
tcp 0 0 127.0.0.1:9999 0.0.0.0:* LISTEN 7931/java
[root bin]# netstat -anp |grep 8080
tcp 0 0 0.0.0.0:8080 0.0.0.0:* LISTEN 7931/java
JBoss processs id and the server id acquiring these ports is same.
This question has two issues ,
First, i have provided debuging parameter in the startup script.
If you see 8787 that means you have somewhere provided debuging argument.
Second and the most important one controller not available #localhost or #IPADDRESS .
Please check if you have used port offset, as it increments all the ports by the number with with you have set port offset.
Suppose port offset is 2
Then try to access connect localhost:10001 Port i.e 9999+2
On my production server sometimes it does not works with localhost , but works with IP address.
Then try to access connect IPADDRESS:9999
OR
Then try to access connect 127.0.0.1:9999
Please check in the firewall weather the port 9999 or what ever with port offset, if the port is not open in the firewall it gives error,
I asked this question 6 months back and the above checks has solved
the problem always.
This is probaby because you have changed your binding configuration and jboss does not bind to 127.0.0.1.
In case your jboss instance is not binding to 127.0.0.1, you may use --controller option as follows:
./jboss-cli.sh --controller=YOUR_IP:9999
Use netstat -anp |grep 9999 to find out if port 9999 is in use and by which process id. You could also check the host.xml used by the controller to configure the proper native port.
In the host xml, you should find the default port:
<native-interface security-realm="ManagementRealm">
<socket interface="management" port="${jboss.management.native.port:9999}"/>
./jboss-cli.sh --controller=localhost:9999 --connect
You open the debug-port with jboss-cli.sh. Either you activated in jboss-cli.sh:
# Sample JPDA settings for remote socket debugging
# JAVA_OPTS="$JAVA_OPTS -Xrunjdwp:transport=dt_socket,address=8787,server=y,suspend=n"
or you set JAVA_OPTS with such an option in you environment. See
echo $JAVA_OPTS
I guess you did this for two jboss-processes, and you get a port-conflict. See
netstat -nap | grep 8787
I recently faced this issue and the root cause that I found was completely different than it is listed above. It is because for some other project I shifted to JDK 1.8 from 1.7. Boom! and error started coming up...I took hell lot of time figuring out why it is coming up before finally realizing I changed my JDK version.
It might be because JBOSS 7 doesn't work with 1.8 of which I have limited knowledge but yes this might prove useful for some cases.

netstat commands to run on unix server, what commands should I use for my use-case and why?

Sorry in advance for such a noob question, but I'm certainly a noob.
My question is what does it mean to LISTEN or ACCEPT on a port as it relates to my example?
EXAMPLE:
I have a tomcat server, and It will use port 8080. I want to make sure that port is available for me to use.
What commands should I perform on my unix server and why?
what information would a command like this give me: netstat -an | grep LISTEN
If a port shows up as LISTEN in netstat, it means the port is in use by a server process, so you can't use it. Here is an example:
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN
which shows that port 631 is in use.
Ignore the UNIX type sockets at the end - they are irrelevant.
For checking port 8080 is in use or not, you can simply use the command netstat -an|grep 8080. If you get an output in below format, that means 8080 is already in use and you need to assign a new port for the tomcat.
# netstat -an
tcp 0 0 127.0.0.1:8080 0.0.0.0:* LISTEN
Netstat command displays various network related information such as network connections, routing tables, interface statistics, masquerade connections, multicast memberships etc,
a option with netstat will give you both listening and non listening ports
n option when you don’t want the name of the host, port or user to be displayed, use netstat -n option. This will display in numbers, instead of resolving the host name, port name, user name. This also speeds up the output, as netstat is not performing any look-up.
For more understand the use of netstat command here are its options:
-a : All ports
-t : Ports TCP
-u : Ports UDP
-l : Listening ports
-n : IP address without domain name resolution
-p : Name of the program and it associated PID
So:
-To display all port (TCP & UDP), PId with the associated name of the program :
$ netstat -paunt
-To display all Listening ports (TCP), PId with the associated name of the program : (and we can also filter with the grep command)
$ sudo netstat -plnt | grep ':80'
I hope it will be helpful :)
You can also use telnet to check if the port is open and listening e.g,
Zeeshan$ telnet google.com 80
Trying 173.194.35.5...
Connected to google.com.
Escape character is '^]'.
I am telnetting google.com on port 80. If you see the third line in the output, you will notice it says it is connected with the Google's web server. The same way you have a JAVA application server called Tomcat and it is listening on port 8080. In fact it is asking clients to connect to it on port 8080 so it can give away the JAVA services to client. When I will use from a client side telnet localhost 8080 I will be connected the same way I have connected with Google's web server on port 80. Provided that Tomcat is running and listening on port 8080. If port 8080 is not free and occupied by some other application you can simply change the port 8080 to another free port. Telnet should give you the following status:
accepted (connected), refused, and timeout
connection refused - nothing is running on that port
accepted - some application is running on the port
timeout - a firewall is blocking access
So now there are two possible ways to check. From the same machine you are running Tomcat server:
telnet localhost 8080
Of if you want to check it from some other machine or outside of the network:
telnet 192.168.1.1 8080
I hope that helps.
use can also run the below command, it will list the Port and corresponding PID, if any process is using those ports
netstat -tulpn

Resources