Skip to content

feat(core): add SNMP trap source for UDP trap ingestion #24514

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
RoseSecurity wants to merge 3 commits into
base: master
Choose a base branch
from
Open

feat(core): add SNMP trap source for UDP trap ingestion #24514

RoseSecurity wants to merge 3 commits into from
+1,036 −0

Conversation

@RoseSecurity
Copy link

@RoseSecurity RoseSecurity commented Jan 19, 2026

SNMP Trap Source

Summary

This PR adds a new snmp_trap source that receives SNMP v1 and v2c trap messages over UDP. SNMP traps are commonly used by network devices to report events like failures, threshold violations, or status changes to a management station.

Features

  • Listens for SNMP traps on a configurable UDP address/port
  • Supports both SNMPv1 and SNMPv2c trap formats
  • Parses trap messages into structured log events
  • Extracts all variable bindings (varbinds) as JSON array
  • Configurable host key for source identification

Vector Config Example

# Basic configuration - listen on standard SNMP trap port
sources:
  snmp_traps:
    type: snmp_trap
    address: "0.0.0.0:162"

sinks:
  console:
    type: console
    inputs: ["snmp_traps"]
    encoding:
      codec: json
# Non-privileged port with custom buffer size
sources:
  snmp_traps:
    type: snmp_trap
    address: "0.0.0.0:1162"
    receive_buffer_bytes: 65536
    host_key: "source_host"

transforms:
  enrich_traps:
    type: remap
    inputs: ["snmp_traps"]
    source: |
      # Add severity based on trap type
      if .snmp_version == "1" {
        .severity = if .generic_trap == 4 { "critical" } else { "info" }
      }

sinks:
  console:
    type: console
    inputs: ["enrich_traps"]
    encoding:
      codec: json

Output Schema

SNMPv1 Trap Output

{
  "snmp_version": "1",
  "source_address": "192.168.1.100:161",
  "community": "public",
  "enterprise_oid": "1.3.6.1.4.1.8072.2.3.0.1",
  "agent_address": "192.168.1.100",
  "generic_trap": 6,
  "specific_trap": 1,
  "uptime": 123456,
  "varbinds": [
    {"oid": "1.3.6.1.4.1.8072.2.3.2.1", "value": "123456"}
  ],
  "message": "SNMPv1 trap from 192.168.1.100:161 (1.3.6.1.4.1.8072.2.3.0.1): enterpriseSpecific",
  "timestamp": "2024-01-15T10:30:00Z"
}

SNMPv2c Trap Output

{
  "snmp_version": "2c",
  "source_address": "192.168.1.100:161",
  "community": "public",
  "request_id": 12345,
  "trap_oid": "1.3.6.1.4.1.8072.2.3.0.1",
  "uptime": "123456",
  "varbinds": [
    {"oid": "1.3.6.1.2.1.1.3.0", "value": "123456"},
    {"oid": "1.3.6.1.6.3.1.1.4.1.0", "value": "1.3.6.1.4.1.8072.2.3.0.1"}
  ],
  "message": "SNMPv2c trap from 192.168.1.100:161: 1.3.6.1.4.1.8072.2.3.0.1",
  "timestamp": "2024-01-15T10:30:00Z"
}

Test Plan

Prerequisites

  • snmptrap command (from net-snmp package)
  • Vector built with --features sources-snmp_trap

Manual Testing Steps

  1. Build Vector with SNMP trap support:

    cargo build --features sources-snmp_trap,sinks-console

  2. Create test configuration (test_snmp.yaml):

    sources:
  snmp_traps:
    type: snmp_trap
    address: "127.0.0.1:1162"

sinks:
  console:
    type: console
    inputs: ["snmp_traps"]
    encoding:
      codec: json

  3. Start Vector:

    ./target/debug/vector --config test_snmp.yaml

  4. Send SNMPv2c test trap (in another terminal):

    snmptrap -v 2c -c public 127.0.0.1:1162 '' \
  1.3.6.1.4.1.8072.2.3.0.1 \
  1.3.6.1.4.1.8072.2.3.2.1 i 123456

  5. Send SNMPv1 test trap:

    snmptrap -v 1 -c public 127.0.0.1:1162 \
  1.3.6.1.4.1.8072.2.3.0.1 \
  127.0.0.1 6 1 '' \
  1.3.6.1.4.1.8072.2.3.2.1 i 123456

  6. Verify output: Confirm JSON output appears in Vector's console with all expected fields.

Automated Tests

Run the unit tests:

cargo test --features sources-snmp_trap snmp

Expected: All 7 tests pass:

  • generate_config - Config generation works
  • test_udp_socket_bind - Can bind to UDP socket
  • test_config_default - Default config is correct
  • test_config_with_options - Config with options works
  • test_format_object_value - SNMP value formatting works
  • test_parse_invalid_data - Invalid data is rejected
  • test_parse_empty_data - Empty data is rejected

Checklist

  • Add snmp-parser dependency
  • Implement SNMP trap source
  • Implement SNMPv1 and SNMPv2c parser
  • Add internal events for error tracking
  • Add unit tests
  • Add example configuration
  • Add changelog entry
  • Add CUE documentation
  • Add service and URL definitions

References

@RoseSecurity
feat(source): add SNMP trap source for UDP trap ingestion
1f112d1 
Introduce a new `snmp_trap` source to receive SNMP v1 and v2c trap
messages over UDP. The source parses incoming traps, extracts fields
such as community string, version, trap type, OID, and varbinds, and
emits structured log events. Includes documentation, changelog, and
example configuration for easy adoption.
@RoseSecurity
chore: update changelog
2151aa1
@RoseSecurity RoseSecurity requested review from a team as code owners January 19, 2026 19:42
@github-actions github-actions bot added domain: sources Anything related to the Vector's sources domain: external docs Anything related to Vector's external, public documentation labels Jan 19, 2026
@github-actions
Copy link

github-actions bot commented Jan 19, 2026


Thank you for your submission, we really appreciate it. Like many open-source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution. You can sign the CLA by just posting a Pull Request Comment same as the below format.

I have read the CLA Document and I hereby sign the CLA

You can retrigger this bot by commenting recheck in this Pull Request. Posted by the CLA Assistant Lite bot.

@RoseSecurity RoseSecurity changed the title feat(source): add SNMP trap source for UDP trap ingestion feat(core): add SNMP trap source for UDP trap ingestion Jan 19, 2026
@RoseSecurity RoseSecurity mentioned this pull request Jan 19, 2026
Closed
8 tasks
@domalessi domalessi self-assigned this Jan 20, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@domalessi domalessi domalessi approved these changes

At least 1 approving review is required to merge this pull request.

Assignees

@domalessi domalessi

Labels

domain: external docs Anything related to Vector's external, public documentation domain: sources Anything related to the Vector's sources

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@RoseSecurity @domalessi