Telegraf_SNMP_Trap

Telegraf
22

ok thank you. I remove the community string from the input.snmp.trap configuration.

Do you mind confirm if snmptrad service should run in the linux where telegraf plugin is installed to get the traps from remote agents?

23

No, as from this point telegraf is the trap handler agent…

24

Hi,

I have configured new .conf file specifically to capture snmp_trap data. Whilst execute the test I am getting address already in use error. Except telegraf we have not used this port 162 for any other application.

[root@tsdcgbddwmdk01 telegraf.d]# telegraf --config telegraf_snmp_trap.conf --test
2023-08-02T11:19:04Z I! Loading config file: telegraf_snmp_trap.conf
2023-08-02T11:19:04Z W! DeprecationWarning: Option “timeout” of plugin “inputs.snmp_trap” deprecated since version 1.20.0 and will be removed in 2.0.0: unused option
2023-08-02T11:19:04Z I! Starting Telegraf 1.26.0
2023-08-02T11:19:04Z I! Available plugins: 235 inputs, 9 aggregators, 27 processors, 22 parsers, 57 outputs, 2 secret-stores
2023-08-02T11:19:04Z I! Loaded inputs: snmp_trap
2023-08-02T11:19:04Z I! Loaded aggregators:
2023-08-02T11:19:04Z I! Loaded processors:
2023-08-02T11:19:04Z I! Loaded secretstores:
2023-08-02T11:19:04Z W! Outputs are not used in testing mode!
2023-08-02T11:19:04Z I! Tags enabled: host=tsdcgbddwmdk01
2023-08-02T11:19:04Z W! Deprecated inputs: 0 and 1 options
2023-08-02T11:19:04Z E! [agent] Starting input inputs.snmp_trap: listen udp :162: bind: address already in use

25

I believe the system where telegraf plugin installed is enabled port by default 162. Currently I dont want to get the data from local system, instead I would like to capture snmptrap from remote agents.

I try to kill this PID, but as soon as I start the telegraf --config telegraf_snmp_trap.conf --test, it shows Starting input inputs.snmp_trap: listen udp :162: bind: address already in use

[root@tsdcgbddwmdk01 bin]# sudo lsof -i udp:162
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
telegraf 21372 telegraf 7u IPv4 4595607 0t0 UDP *:snmptrap

26

The only way that telegraf tries to use port 162 is if your config specifies the snmp_trap plugin, which is not enabled by default.

You probably have telelgraf running as a service or in another terminal and it is using the port. Kill that process and see if it restarts or not and it might tell you if it is a service.

27

I am unable to get any data from the remote agents for the plugin of input.snmp.trap. But no issues at remote agents as logs shows it sent the data to telegraf agent.

I did kill the process and test the telegraf_trap .conf file but no update received at InfluxDB.

[root@tsdcgbddwmdk01 telegraf.d]# sudo lsof -i udp:162
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
telegraf 12910 telegraf 7u IPv4 5634917 0t0 UDP *:snmptrap
[root@tsdcgbddwmdk01 telegraf.d]# kill -9 12910

[root@tsdcgbddwmdk01 telegraf.d]# telegraf --config telegraf_snmp_trap.conf --test
2023-08-03T10:40:33Z I! Loading config file: telegraf_snmp_trap.conf
2023-08-03T10:40:33Z W! DeprecationWarning: Option “timeout” of plugin “inputs.snmp_trap” deprecated since version 1.20.0 and will be removed in 2.0.0: unused option
2023-08-03T10:40:33Z I! Starting Telegraf 1.26.0
2023-08-03T10:40:33Z I! Available plugins: 235 inputs, 9 aggregators, 27 processors, 22 parsers, 57 outputs, 2 secret-stores
2023-08-03T10:40:33Z I! Loaded inputs: snmp_trap
2023-08-03T10:40:33Z I! Loaded aggregators:
2023-08-03T10:40:33Z I! Loaded processors:
2023-08-03T10:40:33Z I! Loaded secretstores:
2023-08-03T10:40:33Z W! Outputs are not used in testing mode!
2023-08-03T10:40:33Z I! Tags enabled: host=hvnpldwmdk01
2023-08-03T10:40:33Z W! Deprecated inputs: 0 and 1 options
2023-08-03T10:40:33Z I! [inputs.snmp_trap] Listening on udp://:162
[root@tsdcgbddwmdk01 telegraf.d]#

2nd attempt:
[root@tsdcgbddwmdk01 telegraf.d]# telegraf --config telegraf_snmp_trap.conf --test
2023-08-03T10:48:40Z I! Loading config file: telegraf_snmp_trap.conf
2023-08-03T10:48:40Z W! DeprecationWarning: Option “timeout” of plugin “inputs.snmp_trap” deprecated since version 1.20.0 and will be removed in 2.0.0: unused option
2023-08-03T10:48:40Z I! Starting Telegraf 1.26.0
2023-08-03T10:48:40Z I! Available plugins: 235 inputs, 9 aggregators, 27 processors, 22 parsers, 57 outputs, 2 secret-stores
2023-08-03T10:48:40Z I! Loaded inputs: snmp_trap
2023-08-03T10:48:40Z I! Loaded aggregators:
2023-08-03T10:48:40Z I! Loaded processors:
2023-08-03T10:48:40Z I! Loaded secretstores:
2023-08-03T10:48:40Z W! Outputs are not used in testing mode!
2023-08-03T10:48:40Z I! Tags enabled: host=hvnpldwmdk01
2023-08-03T10:48:40Z W! Deprecated inputs: 0 and 1 options
2023-08-03T10:48:40Z E! [agent] Starting input inputs.snmp_trap: listen udp :162: bind: address already in use
/////////////////////////////////////////////////////////////////////////////////////////////
snmp.conf file configuration is here

mibdirs /usr/share/snmp/mibs
mibs +All

28

--test is an instant run of collection. In order to traps to be received, telegraf needs to listen on that port for a little more time, see my previous post on how to do that.

29

I appreciate you and @jpowers for continues support on this.

Please note in order to make easier, I have added specific .conf file by enabling only inputs.snmp_trap plugin

Whilst executing the test mode of telegraf, I did not received any output. Currently more than 40+ devices are enabled trap with port 162. The remote server sent out few traps successfully.

[root@tsdcgbddwmdk01 telegraf]# telegraf --test-wait 60
2023-08-04T07:09:22Z I! Loading config file: /etc/telegraf/telegraf.conf
2023-08-04T07:09:22Z W! DeprecationWarning: Option “timeout” of plugin “inputs.snmp_trap” deprecated since version 1.20.0 and will be removed in 2.0.0: unused option
2023-08-04T07:09:22Z I! Starting Telegraf 1.26.0
2023-08-04T07:09:22Z I! Available plugins: 235 inputs, 9 aggregators, 27 processors, 22 parsers, 57 outputs, 2 secret-stores
2023-08-04T07:09:22Z I! Loaded inputs: snmp_trap
2023-08-04T07:09:22Z I! Loaded aggregators:
2023-08-04T07:09:22Z I! Loaded processors:
2023-08-04T07:09:22Z I! Loaded secretstores:
2023-08-04T07:09:22Z W! Outputs are not used in testing mode!
2023-08-04T07:09:22Z I! Tags enabled: host=hvnpldwmdk01
2023-08-04T07:09:22Z W! Deprecated inputs: 0 and 1 options
2023-08-04T07:09:22Z E! [agent] Starting input inputs.snmp_trap: listen udp :162: bind: address already in use

30

The message says something is already listening to that port, so stop that first.

Also have a look at your config, and remove that deprecated option, it does do nothing anymore…

31
  1. I did kill the PID of the port 162 which was utilizing by Telegraf
  2. If I disable the input_snmp_trap plugin for the port 162, then I dont see any utilization for the port 162. This clearly shows no other application using this port
  3. As soon as I enable the port 162 in the telegraf.conf for trap, then utilization shows for the telegraf plugin
  4. After kill the PID, if I run the telegraf, I was not getting address alrady in use
  5. If I run the telegraf 2nd time onwards, it shows udp :162: bind: address already in use
32

You can’t run 2 telegraf instances listening to the same port at the same time.

Anyway, when you kill all listening PIDs and then start telegraf in test-wait mode, then you should be able to send and receive traps…

33

Please note, I have not enabled 2 telegraf instances to listening for port 162. I have enabled in only one file. Here is the output, I dont see any further output.

[root@tsdcgbddwmdk01 telegraf]# sudo lsof -i udp:162
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
telegraf 3346 telegraf 7u IPv4 7221423 0t0 UDP *:snmptrap

[root@tsdcgbddwmdk01 telegraf]# kill -9 3346

[root@tsdcgbddwmdk01 telegraf]# telegraf --test-wait 60
2023-08-04T14:25:38Z I! Loading config file: /etc/telegraf/telegraf.conf
2023-08-04T14:25:38Z W! DeprecationWarning: Option “timeout” of plugin “inputs.snmp_trap” deprecated since version 1.20.0 and will be removed in 2.0.0: unused option
2023-08-04T14:25:38Z I! Starting Telegraf 1.26.0
2023-08-04T14:25:38Z I! Available plugins: 235 inputs, 9 aggregators, 27 processors, 22 parsers, 57 outputs, 2 secret-stores
2023-08-04T14:25:38Z I! Loaded inputs: snmp_trap
2023-08-04T14:25:38Z I! Loaded aggregators:
2023-08-04T14:25:38Z I! Loaded processors:
2023-08-04T14:25:38Z I! Loaded secretstores:
2023-08-04T14:25:38Z I! Loaded outputs: influxdb_v2
2023-08-04T14:25:38Z I! Tags enabled: host=hvnpldwmdk01
2023-08-04T14:25:38Z W! Deprecated inputs: 0 and 1 options
2023-08-04T14:25:38Z I! [agent] Config: Interval:10s, Quiet:false, Hostname:“hvnpldwmdk01”, Flush Interval:10s
2023-08-04T14:25:38Z I! [inputs.snmp_trap] Listening on udp://:162

34

This is all fine. Now you just need to send a trap manually or trigger a device to send a trap and you will see it in that terminal (within 60 seconds, otherwise increase the timeout value of your command)

35

Hi,

I have enabled snmp_trap plugin and kept running for last 3 days, but till today I did not receive any traps into influxDB. Meanwhile other configuration file works fine for the input_snmp plugin.

Please let me know if I need to make any additional changes for the services of snmp/snmptrapd within linux machine.

# Configuration for telegraf agent
[agent]
 round_interval = true
  #  metric_batch_size = 1000
  #  metric_buffer_limit = 10000
  #  collection_jitter = "0s"
  # collection_offset = "0s"
  flush_interval = "10s"
  flush_jitter = "0s"
  ## Precision will NOT be used for service inputs. It is up to each individual
  ## service input to set the timestamp at the appropriate precision.
  precision = "0s"



# # Receive SNMP traps
[[inputs.snmp_trap]]

service_address = "udp://:162"
#   ##
#   ## Path to mib files
#   ## Used by the gosmi translator.
#   ## To add paths when translating with netsnmp, use the MIBDIRS environment variable
path = ["/usr/share/snmp/mibs"]
#   ##
#   ## Deprecated in 1.20.0; no longer running snmptranslate
#   ## Timeout running snmptranslate command
timeout = "25s"
#   ## Snmp version
version = "2c"
38

I have created specific .conf file to capture only inputs.snmp_trap data. I am going to keep monitor for next 24 hours to monitor the real traps. I will keep you an update further on this. Thanks

39

Hi,

I have monitor more than 24 hours, but did not received any traps even though there was major alert triggered from the server. The remote server shows as traps sent out.

Basically I should be able to see the measurement as snmp_traps within influxdb along with community list, but I dont see any such configuration generated automatically.

Please suggest me if anything need to validate within configuration or snmptrapd services.

Configuration

# Configuration for telegraf agent
[agent]
  ## Default data collection interval for all inputs
  interval = "10s"
  ## Rounds collection interval to 'interval'
  ## ie, if interval="10s" then always collect on :00, :10, :20, etc.
  round_interval = true

  ## Telegraf will send metrics to outputs in batches of at most
  ## metric_batch_size metrics.
  ## This controls the size of writes that Telegraf sends to output plugins.
  metric_batch_size = 1000

  ## Maximum number of unwritten metrics per output.  Increasing this value
  ## allows for longer periods of output downtime without dropping metrics at the
  ## cost of higher maximum memory usage.
  metric_buffer_limit = 10000

  ## Collection jitter is used to jitter the collection by a random amount.
  ## Each plugin will sleep for a random time within jitter before collecting.
  ## This can be used to avoid many plugins querying things like sysfs at the
  ## same time, which can have a measurable effect on the system.
  collection_jitter = "0s"

  ## Collection offset is used to shift the collection by the given amount.
  ## This can be be used to avoid many plugins querying constraint devices
  ## at the same time by manually scheduling them in time.
  # collection_offset = "0s"

  ## Default flushing interval for all outputs. Maximum flush_interval will be
  ## flush_interval + flush_jitter
  flush_interval = "10s"
  ## Jitter the flush interval by a random amount. This is primarily to avoid
  ## large write spikes for users running a large number of telegraf instances.
  ## ie, a jitter of 5s and interval 10s means flushes will happen every 10-15s
  flush_jitter = "0s"
 ## Collected metrics are rounded to the precision specified. Precision is
  ## specified as an interval with an integer + unit (e.g. 0s, 10ms, 2us, 4s).
  ## Valid time units are "ns", "us" (or "µs"), "ms", "s".
  ##
  ## By default or when set to "0s", precision will be set to the same
  ## timestamp order as the collection interval, with the maximum being 1s:
  ##   ie, when interval = "10s", precision will be "1s"
  ##       when interval = "250ms", precision will be "1ms"
  ##
  ## Precision will NOT be used for service inputs. It is up to each individual
  ## service input to set the timestamp at the appropriate precision.
  precision = "0s"

```# # Receive SNMP traps
[[inputs.snmp_trap]]
#   ## Transport, local address, and port to listen on.  Transport must
#   ## be "udp://".  Omit local address to listen on all interfaces.
#   ##   example: "udp://127.0.0.1:1234"
#   ##
#   ## Special permissions may be required to listen on a port less than
#   ## 1024.  See README.md for details
#   ##
service_address = "udp://:162"
#   ##
#   ## Path to mib files
#   ## Used by the gosmi translator.
#   ## To add paths when translating with netsnmp, use the MIBDIRS environment variable
path = ["/usr/share/snmp/mibs"]
#   ##
#   ## Deprecated in 1.20.0; no longer running snmptranslate
#   ## Timeout running snmptranslate command
# timeout = "5s"
#   ## Snmp version
version = "2c"


**Logs:**
2023-08-09T12:45:52Z D! [agent] Starting service inputs
2023-08-09T12:45:52Z I! [inputs.snmp_trap] Listening on udp://:162
40

Did you try this already with --test-wait and generating a trap as already requested multiple times?

41

Hi,

Yes I did executed multiple times with --test mode. Anyways here is the latest output, I tried to send test traps from source devices, however there is no output received.

[root@tsdcgbddwmdk01 telegraf.d]# telegraf --config telegraf_snmp_trap.conf --test-wait 60
2023-08-11T14:42:53Z I! Loading config file: telegraf_snmp_trap.conf
2023-08-11T14:42:53Z W! DeprecationWarning: Option “timeout” of plugin “inputs.snmp_trap” deprecated since version 1.20.0 and will be removed in 2.0.0: unused option
2023-08-11T14:42:53Z I! Starting Telegraf 1.26.0
2023-08-11T14:42:53Z I! Available plugins: 235 inputs, 9 aggregators, 27 processors, 22 parsers, 57 outputs, 2 secret-stores
2023-08-11T14:42:53Z I! Loaded inputs: snmp snmp_trap
2023-08-11T14:42:53Z I! Loaded aggregators:
2023-08-11T14:42:53Z I! Loaded processors:
2023-08-11T14:42:53Z I! Loaded secretstores:
2023-08-11T14:42:53Z W! Outputs are not used in testing mode!
2023-08-11T14:42:53Z I! Tags enabled: host=tsdcgbddwmdk01
2023-08-11T14:42:53Z W! Deprecated inputs: 0 and 1 options
2023-08-11T14:42:56Z E! [agent] Starting input inputs.snmp_trap: listen udp :162: bind: address already in use

test_trap_source

42

bind: address already in use

As we have mentioned over and over, you are already using this port! It means that it will not receive any traps.

I would highly suggest you try this on a different system that is not set up to receive traps, and ensure it is working outside of whatever else you have running on this environment.

43

Please note this has been verified and shared the details earlier. If we disable the input_snmp_trap plugin, system doesn’t show port 162 usage for any of the application. If I kill the telegraf process and run the —test we dont see such udp error.

This clearly shows except telegraf no other application or process using this udp port.

Could you please suggest me if I need to take any additional steps within linux?