logstash-input-snmp 1.2.8 → 1.3.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 4bcb5f73151249317b6f7b36c028a3f863e7d4a88ba6da977fbc88d255355364
-  data.tar.gz: 85ef765af5f93aefb92a8f40d9738101ada3b5173bb9b4b8de3d4ec21a406578
+  metadata.gz: 747dbf68d6a90a7ab937bf8c64edef786b7d0c4c0ac2f97088401d1e842c2616
+  data.tar.gz: e53514a31810159796b3e80ee56f7aa6d66eba23ac781744fd9fbf0be83d4d9a
 SHA512:
-  metadata.gz: 423f10e23a58b04a72c47d70beb06053dedc8d07e1ec1e36c835ca783c6791bb6ccd12d701d3e50bd4ebe173185a4240ae21a93c36d7ecdf38bf4e2ae6d58f25
-  data.tar.gz: f452759e6c453d088b002721ae1520b1c22291e16ff609d8f308e57c3e9aa9dc29b008c809a9a6a76e76b00e68c0399fc96b63f23dc066aa403a682f19712f2e
+  metadata.gz: fa84badc45e056d01ca6a8668e3b5a2ddf89348339f49524b60b77843753cb7eb51fe2fcfe40d2d61dfc95523988f1fa6e11cc430692bbbe38d0014371c62278
+  data.tar.gz: 9e8e9895750a23892e99b2c198eef3e66f75de885e700dcea020d00356e843a022bd5dae6894a390f9f64faea40ea0f15310dbc7b34ef1fa96947b15d9d1a45b

data/CHANGELOG.md

@@ -1,8 +1,12 @@
+## 1.3.0
+  - Feat: ECS compliance + optional target [#99](https://github.com/logstash-plugins/logstash-input-snmp/pull/99)
+  - Internal: update to Gradle 7 [#102](https://github.com/logstash-plugins/logstash-input-snmp/pull/102)
+
 ## 1.2.8
-  - Fixed interval handling to only sleep off the _remainder_ of the interval (if any), and to log a helpful warning when crawling the hosts takes longer than the configured interval [#61](https://github.com/logstash-plugins/logstash-input-snmp/issues/61)
+  - Fixed interval handling to only sleep off the _remainder_ of the interval (if any), and to log a helpful warning when crawling the hosts takes longer than the configured interval [#100](https://github.com/logstash-plugins/logstash-input-snmp/pull/100). Fixes [#61](https://github.com/logstash-plugins/logstash-input-snmp/issues/61).
 
 ## 1.2.7
-  - Added integration tests to ensure SNMP server and IPv6 connections [#87](https://github.com/logstash-plugins/logstash-input-snmp/pull/87)
+  - Added integration tests to ensure SNMP server and IPv6 connections [#90](https://github.com/logstash-plugins/logstash-input-snmp/issues/90). Fixes[#87](https://github.com/logstash-plugins/logstash-input-snmp/issues/87).
 
 ## 1.2.6
   - Docs: example on setting IPv6 hosts [#89](https://github.com/logstash-plugins/logstash-input-snmp/pull/89)

data/CONTRIBUTORS

@@ -4,6 +4,7 @@ reports, or in general have helped logstash along its way.
 Contributors:
 * Colin Surprenant - colin.surprenant@gmail.com
 * Dan Major - axrayn@gmail.com
+* Patrick Prugger - pprugger@gmx.at
 
 Note: If you've sent us patches, bug reports, or otherwise contributed to
 Logstash, and you aren't on the list above and want to be, please let us know

data/docs/index.asciidoc

@@ -26,6 +26,22 @@ to gather information related to the current state of the devices operation.
 
 The SNMP input plugin supports SNMP v1, v2c, and v3 over UDP and TCP transport protocols.
 
+[id="plugins-{type}s-{plugin}-ecs"]
+==== Compatibility with the Elastic Common Schema (ECS)
+
+Because SNMP data has specific field names based on OIDs, we recommend setting a <<plugins-{type}s-{plugin}-target>>.
+Metadata fields follow a specific naming convention when <<plugins-{type}s-{plugin}-ecs_compatibility,ECS compatibility mode>> is enabled.
+
+[cols="<l,<l,e,<e"]
+|=======================================================================
+|ECS disabled |ECS v1, v8 |Description
+|[@metadata][host_protocol]    |[@metadata][input][snmp][host][protocol]    |The protocol used to retrieve data e.g. "udp"
+|[@metadata][host_address]     |[@metadata][input][snmp][host][address]     |The host IP e.g. "192.168.1.1"
+|[@metadata][host_port]        |[@metadata][input][snmp][host][port]        |The host's port e.g. "161"
+|[@metadata][host_community]   |[@metadata][input][snmp][host][community]   |The configured community e.g. "public"
+|[host]                        |[host][ip]                                  |Same as `[@metadata][host_address]`, host's IP address
+|=======================================================================
+
 [id="plugins-{type}s-{plugin}-import-mibs"]
 ==== Importing MIBs 
 
@@ -55,6 +71,7 @@ This plugin supports the following configuration options plus the <<plugins-{typ
 [cols="<,<,<",options="header",]
 |=======================================================================
 |Setting |Input type|Required
+| <<plugins-{type}s-{plugin}-ecs_compatibility>> |<<string,string>>|No
 | <<plugins-{type}s-{plugin}-get>> |<<array,array>>|No
 | <<plugins-{type}s-{plugin}-hosts>> |<<array,array>>|No
 | <<plugins-{type}s-{plugin}-interval>> |<<number,number>>|No
@@ -63,6 +80,7 @@ This plugin supports the following configuration options plus the <<plugins-{typ
 | <<plugins-{type}s-{plugin}-oid_path_length>> |<<number,number>>|No
 | <<plugins-{type}s-{plugin}-walk>> |<<array,array>>|No
 | <<plugins-{type}s-{plugin}-tables>> |<<array,array>>|No
+| <<plugins-{type}s-{plugin}-target>> |<<string,string>>|No
 |=======================================================================
 
 ==== SNMPv3 Authentication Options
@@ -86,14 +104,14 @@ Also see <<plugins-{type}s-{plugin}-common-options>> for a list of options suppo
 input plugins.
 
 [id="plugins-{type}s-{plugin}-get"]
-===== `get` 
+===== `get`
+
+  * Value type is <<array,array>>
+  * There is no default value for this setting
 
 Use the `get` option to query for scalar values for the given OID(s).
 One or more OID(s) are specified as an array of strings of OID(s).
 
-* Value type is <<array,array>>
-* There is no default value for this setting
-
 Example
 [source,ruby]
 -----
@@ -108,14 +126,14 @@ input {
 [id="plugins-{type}s-{plugin}-hosts"]
 ===== `hosts`
 
+  * Value type is <<array,array>>
+  * There is no default value for this setting
+
 The `hosts` option specifies the list of hosts to query the configured `get` and `walk` options.
 
 Each host definition is a hash and must define the `host` key and value.
 `host` must use the format `{tcp|udp}:{ip address}/{port}`, for example `host => "udp:127.0.0.1/161"`
 
-* Value type is <<array,array>>
-* There is no default value for this setting
-
 Each host definition can optionally include the following keys and values:
 
 * `community` the community string, default is `public`.
@@ -160,57 +178,58 @@ input {
 -----
 
 [id="plugins-{type}s-{plugin}-interval"]
-===== `interval` 
+===== `interval`
+
+  * Value type is <<number,number>>
+  * Default value is `30`
 
 The `interval` option specifies the polling interval in seconds.
 If polling all configured hosts takes longer than this interval, a warning will be emitted to the logs.
 
-* Value type is <<number,number>>
-* Default value is `30`
-
 [id="plugins-{type}s-{plugin}-mib_paths"]
-===== `mib_paths` 
+===== `mib_paths`
 
-The `mib_paths` option specifies the location of one or more imported MIB files. The value can be either a dir path containing
-the imported MIB `.dic` files or a file path to a single MIB `.dic` file.
+  * Value type is <<path,path>>
+  * There is no default value for this setting
 
-* Value type is <<path,path>>
-* There is no default value for this setting
+The `mib_paths` option specifies the location of one or more imported MIB files.
+The value can be either a dir path containing the imported MIB `.dic` files or a
+file path to a single MIB `.dic` file.
 
 This plugin includes the IETF MIBs.
 If you require other MIBs, you need to import them. See <<plugins-{type}s-{plugin}-import-mibs>>.
 
 [id="plugins-{type}s-{plugin}-oid_root_skip"]
-===== `oid_root_skip` 
+===== `oid_root_skip`
+
+  * Value type is <<number,number>>
+  * Default value is `0`
 
 The `oid_root_skip` option specifies the number of OID root digits to ignore in the event field name.
 For example, in a numeric OID like "1.3.6.1.2.1.1.1.0" the first 5 digits could be ignored by setting `oid_root_skip => 5`
 which would result in a field name "1.1.1.0". Similarly when a MIB is used an OID such
 "1.3.6.1.2.mib-2.system.sysDescr.0" would become "mib-2.system.sysDescr.0"
 
-* Value type is <<number,number>>
-* Default value is `0`
-
 [id="plugins-{type}s-{plugin}-oid_path_length"]
 ===== `oid_path_length`
 
+  * Value type is <<number,number>>
+  * Default value is `0`
+
 The `oid_path_length` option specifies the number of OID root digits to retain in the event field name.
 For example, in a numeric OID like "1.3.6.1.2.1.1.1.0" the last 2 digits could be retained by setting `oid_path_length => 2`
 which would result in a field name "1.0". Similarly when a MIB is used an OID such
 "1.3.6.1.2.mib-2.system.sysDescr.0" would become "sysDescr.0"
 
-* Value type is <<number,number>>
-* Default value is `0`
-
 [id="plugins-{type}s-{plugin}-walk"]
 ===== `walk`
 
+  * Value type is <<array,array>>
+  * There is no default value for this setting
+
 Use the `walk` option to retrieve the subtree of information for the given OID(s).
 One or more OID(s) are specified as an array of strings of OID(s).
 
-* Value type is <<array,array>>
-* There is no default value for this setting
-
 Queries the subtree of information starting at the given OID(s).
 
 Example
@@ -226,14 +245,14 @@ Example
 [id="plugins-{type}s-{plugin}-tables"]
 ===== `tables`
 
+  * Value type is <<array,array>>
+  * There is no default value for this setting
+  * Results are returned under a field using the table name
+
 The `tables` option is used to query for tabular values for the given column OID(s).
 
 Each table definition is a hash and must define the name key and value and the columns to return.
 
-* Value type is <<array,array>>
-* There is no default value for this setting
-* Results are returned under a field using the table name
-
 *Specifying a single table*
 
 [source,ruby]
@@ -267,10 +286,10 @@ These options are required only if you are using SNMPv3.
 [id="plugins-{type}s-{plugin}-auth_pass"]
 ===== `auth_pass`
 
-The `auth_pass` option specifies the SNMPv3 authentication passphrase or password
+  * Value type is <<password,password>>
+  * There is no default value for this setting
 
-* Value type is <<password,password>>
-* There is no default value for this setting
+The `auth_pass` option specifies the SNMPv3 authentication passphrase or password.
 
 [id="plugins-{type}s-{plugin}-auth_protocol"]
 ===== `auth_protocol`
@@ -280,38 +299,66 @@ The `auth_protocol` option specifies the SNMPv3 authentication protocol or type
 * Value can be any of: `md5`, `sha`, `sha2`, `hmac128sha224`, `hmac192sha256`, `hmac256sha384`, `hmac384sha512`
 * There is no default value for this setting
 
+[id="plugins-{type}s-{plugin}-ecs_compatibility"]
+===== `ecs_compatibility`
+
+  * Value type is <<string,string>>
+  * Supported values are:
+    ** `disabled`: does not use ECS-compatible field names (fields might be set at the root of the event)
+    ** `v1`, `v8`: avoids field names that might conflict with Elastic Common Schema (for example, the `host` field)
+  * Default value depends on which version of Logstash is running:
+    ** When Logstash provides a `pipeline.ecs_compatibility` setting, its value is used as the default
+    ** Otherwise, the default value is `disabled`.
+
+Controls this plugin's compatibility with the {ecs-ref}[Elastic Common Schema (ECS)].
+
 [id="plugins-{type}s-{plugin}-priv_pass"]
 ===== `priv_pass`
 
-The `priv_pass` option specifies the SNMPv3 encryption password
+  * Value type is <<password,password>>
+  * There is no default value for this setting
 
-* Value type is <<password,password>>
-* There is no default value for this setting
+The `priv_pass` option specifies the SNMPv3 encryption password.
 
 [id="plugins-{type}s-{plugin}-priv_protocol"]
 ===== `priv_protocol`
 
-The `priv_protocol` option specifies the SNMPv3 privacy/encryption protocol.
+  * Value can be any of: `des`, `3des`, `aes`, `aes128`, `aes192`, `aes256`
+  * Note that `aes` and `aes128` are equivalent
+  * There is no default value for this setting
 
-* Value can be any of: `des`, `3des`, `aes`, `aes128`, `aes192`, `aes256`
-* Note that `aes` and `aes128` are equivalent
-* There is no default value for this setting
+The `priv_protocol` option specifies the SNMPv3 privacy/encryption protocol.
 
 [id="plugins-{type}s-{plugin}-security_name"]
 ===== `security_name`
 
-The `security_name` option specifies the SNMPv3 security name or user name
+  * Value type is <<string,string>>
+  * There is no default value for this setting
 
-* Value type is <<string,string>>
-* There is no default value for this setting
+The `security_name` option specifies the SNMPv3 security name or user name.
 
 [id="plugins-{type}s-{plugin}-security_level"]
 ===== `security_level`
 
-The `security_level` option specifies the SNMPv3 security level between Authentication, No Privacy; Authentication, Privacy; or no Authentication, no Privacy
+  * Value can be any of: `noAuthNoPriv`, `authNoPriv`, `authPriv`
+  * There is no default value for this setting
 
-* Value can be any of: `noAuthNoPriv`, `authNoPriv`, `authPriv`
-* There is no default value for this setting
+The `security_level` option specifies the SNMPv3 security level between
+Authentication, No Privacy; Authentication, Privacy; or no Authentication, no Privacy. 
+
+[id="plugins-{type}s-{plugin}-target"]
+===== `target`
+
+  * Value type is <<string,string>>
+  * There is no default value for this setting
+
+The name of the field under which SNMP payloads are assigned.
+If not specified data will be stored in the root of the event.
+
+Setting a target is recommended when <<plugins-{type}s-{plugin}-ecs_compatibility>> is enabled.
+
+[id="plugins-{type}s-{plugin}-examples"]
+==== Configuration examples
 
 *Specifying SNMPv3 settings*
 
@@ -332,8 +379,6 @@ input {
 
 -----
 
-==== More configuration examples
-
 *Using both `get` and `walk` in the same poll cycle for each host(s)*
 
 [source,ruby]

data/lib/logstash/inputs/snmp.rb

@@ -7,11 +7,24 @@ require_relative "snmp/client"
 require_relative "snmp/clientv3"
 require_relative "snmp/mib"
 
+require 'logstash/plugin_mixins/ecs_compatibility_support'
+require 'logstash/plugin_mixins/ecs_compatibility_support/target_check'
+require 'logstash/plugin_mixins/event_support/event_factory_adapter'
+require 'logstash/plugin_mixins/validator_support/field_reference_validation_adapter'
+
 # Generate a repeating message.
 #
 # This plugin is intented only as an example.
 
 class LogStash::Inputs::Snmp < LogStash::Inputs::Base
+
+  include LogStash::PluginMixins::ECSCompatibilitySupport(:disabled, :v1, :v8 => :v1)
+  include LogStash::PluginMixins::ECSCompatibilitySupport::TargetCheck
+
+  include LogStash::PluginMixins::EventSupport::EventFactoryAdapter
+
+  extend LogStash::PluginMixins::ValidatorSupport::FieldReferenceValidationAdapter
+
   config_name "snmp"
 
   # List of OIDs for which we want to retrieve the scalar value
@@ -67,9 +80,6 @@ class LogStash::Inputs::Snmp < LogStash::Inputs::Base
   # The default, `30`, means poll each host every 30 seconds.
   config :interval, :validate => :number, :default => 30
 
-  # Add the default "host" field to the event.
-  config :add_field, :validate => :hash, :default => { "host" => "%{[@metadata][host_address]}" }
-
   # SNMPv3 Credentials
   #
   # A single user can be configured and will be used for all defined SNMPv3 hosts.
@@ -94,9 +104,29 @@ class LogStash::Inputs::Snmp < LogStash::Inputs::Base
   # The SNMPv3 security level can be Authentication, No Privacy; Authentication, Privacy; or no Authentication, no Privacy
   config :security_level, :validate => ["noAuthNoPriv", "authNoPriv", "authPriv"]
 
+  # Defines a target field for placing fields.
+  # If this setting is omitted, data gets stored at the root (top level) of the event.
+  # The target is only relevant while decoding data into a new event.
+  config :target, :validate => :field_reference
+
   BASE_MIB_PATH = ::File.join(__FILE__, "..", "..", "..", "mibs")
   PROVIDED_MIB_PATHS = [::File.join(BASE_MIB_PATH, "logstash"), ::File.join(BASE_MIB_PATH, "ietf")].map { |path| ::File.expand_path(path) }
 
+  def initialize(params={})
+    super(params)
+
+    @host_protocol_field = ecs_select[disabled: '[@metadata][host_protocol]', v1: '[@metadata][input][snmp][host][protocol]']
+    @host_address_field = ecs_select[disabled: '[@metadata][host_address]', v1: '[@metadata][input][snmp][host][address]']
+    @host_port_field = ecs_select[disabled: '[@metadata][host_port]', v1: '[@metadata][input][snmp][host][port]']
+    @host_community_field = ecs_select[disabled: '[@metadata][host_community]', v1: '[@metadata][input][snmp][host][community]']
+
+    # Add the default "host" field to the event, for backwards compatibility, or host.ip in ecs mode
+    unless params.key?('add_field')
+      host_ip_field = ecs_select[disabled: "host", v1: "[host][ip]"]
+      @add_field = { host_ip_field => "%{#{@host_address_field}}" }
+    end
+  end
+
   def register
     validate_oids!
     validate_hosts!
@@ -165,46 +195,49 @@ class LogStash::Inputs::Snmp < LogStash::Inputs::Base
     # each run. each run polls all the defined hosts for the get and walk options.
     stoppable_interval_runner.every(@interval, "polling hosts") do
       @client_definitions.each do |definition|
+        client = definition[:client]
         result = {}
         if !definition[:get].empty?
+          oids = definition[:get]
           begin
-            result = result.merge(definition[:client].get(definition[:get], @oid_root_skip, @oid_path_length))
+            result = result.merge(client.get(oids, @oid_root_skip, @oid_path_length))
           rescue => e
-            logger.error("error invoking get operation on #{definition[:host_address]} for OIDs: #{definition[:get]}, ignoring", :exception => e, :backtrace => e.backtrace)
+            logger.error("error invoking get operation for OIDs: #{oids}, ignoring",
+                         host: definition[:host_address], exception: e, backtrace: e.backtrace)
           end
         end
-        if  !definition[:walk].empty?
+        if !definition[:walk].empty?
           definition[:walk].each do |oid|
             begin
-              result = result.merge(definition[:client].walk(oid, @oid_root_skip, @oid_path_length))
+              result = result.merge(client.walk(oid, @oid_root_skip, @oid_path_length))
             rescue => e
-              logger.error("error invoking walk operation on OID: #{oid}, ignoring", :exception => e, :backtrace => e.backtrace)
+              logger.error("error invoking walk operation on OID: #{oid}, ignoring",
+                           host: definition[:host_address], exception: e, backtrace: e.backtrace)
             end
           end
         end
 
-        if  !Array(@tables).empty?
+        if !Array(@tables).empty?
           @tables.each do |table_entry|
             begin
-              result = result.merge(definition[:client].table(table_entry, @oid_root_skip, @oid_path_length))
+              result = result.merge(client.table(table_entry, @oid_root_skip, @oid_path_length))
             rescue => e
-              logger.error("error invoking table operation on OID: #{table_entry['name']}, ignoring", :exception => e, :backtrace => e.backtrace)
+              logger.error("error invoking table operation on OID: #{table_entry['name']}, ignoring",
+                           host: definition[:host_address], exception: e, backtrace: e.backtrace)
             end
           end
         end
 
         unless result.empty?
-          metadata = {
-            "host_protocol" => definition[:host_protocol],
-            "host_address" => definition[:host_address],
-            "host_port" => definition[:host_port],
-            "host_community" => definition[:host_community],
-          }
-          result["@metadata"] = metadata
-
-          event = LogStash::Event.new(result)
+          event = targeted_event_factory.new_event(result)
+          event.set(@host_protocol_field, definition[:host_protocol])
+          event.set(@host_address_field, definition[:host_address])
+          event.set(@host_port_field, definition[:host_port])
+          event.set(@host_community_field, definition[:host_community])
           decorate(event)
           queue << event
+        else
+          logger.debug? && logger.debug("no snmp data retrieved", host: definition[:host_address])
         end
       end
     end
@@ -230,7 +263,7 @@ class LogStash::Inputs::Snmp < LogStash::Inputs::Base
   private
 
   OID_REGEX = /^\.?([0-9\.]+)$/
-  HOST_REGEX = /^(?<host_protocol>udp|tcp):(?<host_address>.+)\/(?<host_port>\d+)$/i
+  HOST_REGEX = /^(?<host_protocol>\w+):(?<host_address>.+)\/(?<host_port>\d+)$/i
   VERSION_REGEX =/^1|2c|3$/
 
   def validate_oids!

data/logstash-input-snmp.gemspec

@@ -1,6 +1,6 @@
 Gem::Specification.new do |s|
   s.name          = 'logstash-input-snmp'
-  s.version       = '1.2.8'
+  s.version       = '1.3.0'
   s.licenses      = ['Apache-2.0']
   s.summary       = "SNMP input plugin"
   s.description   = "This gem is a Logstash plugin required to be installed on top of the Logstash core pipeline using $LS_HOME/bin/logstash-plugin install gemname. This gem is not a stand-alone program"
@@ -20,8 +20,12 @@ Gem::Specification.new do |s|
 
   # Gem dependencies
   s.add_runtime_dependency "logstash-core-plugin-api", ">= 1.60", "<= 2.99"
-  s.add_runtime_dependency 'stud', '>= 0.0.22', '< 0.1.0'
+  s.add_runtime_dependency 'logstash-mixin-ecs_compatibility_support', '~> 1.3'
+  s.add_runtime_dependency 'logstash-mixin-event_support', '~> 1.0'
+  s.add_runtime_dependency 'logstash-mixin-validator_support', '~> 1.0'
   s.add_runtime_dependency 'logstash-codec-plain'
+  s.add_runtime_dependency 'stud', '>= 0.0.22', '< 0.1.0'
+
   s.add_development_dependency 'logstash-devutils'
   s.add_development_dependency 'rspec-wait'
 end

data/spec/inputs/snmp_spec.rb

@@ -1,9 +1,11 @@
 # encoding: utf-8
 require "logstash/devutils/rspec/spec_helper"
 require "logstash/devutils/rspec/shared_examples"
+require 'logstash/plugin_mixins/ecs_compatibility_support/spec_helper'
 require "logstash/inputs/snmp"
 
-describe LogStash::Inputs::Snmp do
+describe LogStash::Inputs::Snmp, :ecs_compatibility_support do
+
   let(:mock_client) { double("LogStash::SnmpClient") }
 
   it_behaves_like "an interruptible input plugin" do
@@ -130,7 +132,12 @@ describe LogStash::Inputs::Snmp do
     end
   end
 
-  context "@metadata" do
+  ecs_compatibility_matrix(:disabled, :v1, :v8) do |ecs_select|
+
+    before(:each) do
+      allow_any_instance_of(described_class).to receive(:ecs_compatibility).and_return(ecs_compatibility)
+    end
+
     before do
       expect(LogStash::SnmpClient).to receive(:new).and_return(mock_client)
       expect(mock_client).to receive(:get).and_return({"foo" => "bar"})
@@ -143,25 +150,33 @@ describe LogStash::Inputs::Snmp do
           input {
             snmp {
               get => ["1.3.6.1.2.1.1.1.0"]
-              hosts => [{host => "udp:127.0.0.1/161" community => "public"}]
+              hosts => [{ host => "udp:127.0.0.1/161" community => "public" }]
             }
           }
       CONFIG
       event = input(config) { |_, queue| queue.pop }
 
-      expect(event.get("[@metadata][host_protocol]")).to eq("udp")
-      expect(event.get("[@metadata][host_address]")).to eq("127.0.0.1")
-      expect(event.get("[@metadata][host_port]")).to eq("161")
-      expect(event.get("[@metadata][host_community]")).to eq("public")
-      expect(event.get("host")).to eq("127.0.0.1")
+      if ecs_select.active_mode == :disabled
+        expect(event.get("[@metadata][host_protocol]")).to eq("udp")
+        expect(event.get("[@metadata][host_address]")).to eq("127.0.0.1")
+        expect(event.get("[@metadata][host_port]")).to eq("161")
+        expect(event.get("[@metadata][host_community]")).to eq("public")
+        expect(event.get("host")).to eql("127.0.0.1")
+      else
+        expect(event.get("[@metadata][input][snmp][host][protocol]")).to eq("udp")
+        expect(event.get("[@metadata][input][snmp][host][address]")).to eq("127.0.0.1")
+        expect(event.get("[@metadata][input][snmp][host][port]")).to eq('161')
+        expect(event.get("[@metadata][input][snmp][host][community]")).to eq("public")
+        expect(event.get("host")).to eql('ip' => "127.0.0.1")
+      end
     end
 
-    it "shoud add custom host field" do
+    it "should add custom host field (legacy metadata)" do
       config = <<-CONFIG
           input {
             snmp {
               get => ["1.3.6.1.2.1.1.1.0"]
-              hosts => [{host => "udp:127.0.0.1/161" community => "public"}]
+              hosts => [{ host => "udp:127.0.0.1/161" community => "public" }]
               add_field => { host => "%{[@metadata][host_protocol]}:%{[@metadata][host_address]}/%{[@metadata][host_port]},%{[@metadata][host_community]}" }
             }
           }
@@ -169,6 +184,37 @@ describe LogStash::Inputs::Snmp do
       event = input(config) { |_, queue| queue.pop }
 
       expect(event.get("host")).to eq("udp:127.0.0.1/161,public")
+    end if ecs_select.active_mode == :disabled
+
+    it "should add custom host field (ECS mode)" do
+      config = <<-CONFIG
+          input {
+            snmp {
+              get => ["1.3.6.1.2.1.1.1.0"]
+              hosts => [{ host => "tcp:192.168.1.11/1161" }]
+              add_field => { "[host][formatted]" => "%{[@metadata][input][snmp][host][protocol]}://%{[@metadata][input][snmp][host][address]}:%{[@metadata][input][snmp][host][port]}" }
+            }
+          }
+      CONFIG
+      event = input(config) { |_, queue| queue.pop }
+
+      expect(event.get("host")).to eq('formatted' => "tcp://192.168.1.11:1161")
+    end if ecs_select.active_mode != :disabled
+
+    it "should target event data" do
+      config = <<-CONFIG
+          input {
+            snmp {
+              get => ["1.3.6.1.2.1.1.1.0"]
+              hosts => [{ host => "udp:127.0.0.1/161" community => "public" }]
+              target => "snmp_data"
+            }
+          }
+      CONFIG
+      event = input(config) { |_, queue| queue.pop }
+
+      expect( event.include?('foo') ).to be false
+      expect( event.get('[snmp_data]') ).to eql 'foo' => 'bar'
     end
   end
 

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: logstash-input-snmp
 version: !ruby/object:Gem::Version
-  version: 1.2.8
+  version: 1.3.0
 platform: ruby
 authors:
 - Elasticsearch
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2021-09-15 00:00:00.000000000 Z
+date: 2021-11-19 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   requirement: !ruby/object:Gem::Requirement
@@ -33,23 +33,45 @@ dependencies:
 - !ruby/object:Gem::Dependency
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.0.22
-    - - "<"
+        version: '1.3'
+  name: logstash-mixin-ecs_compatibility_support
+  prerelease: false
+  type: :runtime
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.1.0
-  name: stud
+        version: '1.3'
+- !ruby/object:Gem::Dependency
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.0'
+  name: logstash-mixin-event_support
   prerelease: false
   type: :runtime
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.0.22
-    - - "<"
+        version: '1.0'
+- !ruby/object:Gem::Dependency
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.1.0
+        version: '1.0'
+  name: logstash-mixin-validator_support
+  prerelease: false
+  type: :runtime
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.0'
 - !ruby/object:Gem::Dependency
   requirement: !ruby/object:Gem::Requirement
     requirements:
@@ -64,6 +86,26 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
+- !ruby/object:Gem::Dependency
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 0.0.22
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: 0.1.0
+  name: stud
+  prerelease: false
+  type: :runtime
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 0.0.22
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: 0.1.0
 - !ruby/object:Gem::Dependency
   requirement: !ruby/object:Gem::Requirement
     requirements:
@@ -416,10 +458,8 @@ files:
 - spec/fixtures/collision.dic
 - spec/inputs/integration/it_spec.rb
 - spec/inputs/snmp/base_client_spec.rb
-- spec/inputs/snmp/interval_runner_spec.rb
 - spec/inputs/snmp/mib_spec.rb
 - spec/inputs/snmp_spec.rb
-- vendor/jar-dependencies/org/snmp4j/snmp4j/2.5.11/snmp4j-2.5.11.jar
 - vendor/jar-dependencies/org/snmp4j/snmp4j/2.8.4/snmp4j-2.8.4.jar
 homepage: http://www.elastic.co/guide/en/logstash/current/index.html
 licenses:
@@ -452,6 +492,5 @@ test_files:
 - spec/fixtures/collision.dic
 - spec/inputs/integration/it_spec.rb
 - spec/inputs/snmp/base_client_spec.rb
-- spec/inputs/snmp/interval_runner_spec.rb
 - spec/inputs/snmp/mib_spec.rb
 - spec/inputs/snmp_spec.rb