<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
<title></title>
</head>
<body bgcolor="#ffffff" text="#000000">
<tt>Hi Dan,<br>
<br>
when I do something like this, I usually take a different
approach, I use a script called from snmptrapd to write the log
message to a socket. If you use something different than /dev/log
(e.g. /dev/log.snmp), it's also easier to filter on the message. I
am not sure if SEC has pre-defined rules for traps, but if not,
this is probably easier to handle of you are not using a LOT of
traps. If it's just port-security violations and link up/down
messages on a moderately sized network, it should work fine.<br>
<br>
So in my setup this usually looks like:<br>
<br>
/etc/snmp/snmp.conf<br>
<br>
mibdirs +/usr/share/snmp/mibs/:/etc/snmp/mibs/<br>
mibs +ALL<br>
mibwarninglevel 1<br>
logtimestamp yes<br>
printnumericenums no<br>
printnumericoids no<br>
suffixprinting 0<br>
<br>
<br>
/etc/snmp/snmptrapd.conf<br>
<br>
# syslog-ng configuration<br>
doNotRetainNotificationLogs yes<br>
doNotLogTraps yes<br>
snmpTrapdAddr 0.0.0.0:162<br>
authCommunity execute public<br>
logOption s 10<br>
outputOption Q<br>
traphandle default /usr/local/bin/traptosyslog<br>
<br>
<br>
/usr/local/bin/traptosyslog<br>
<br>
#!/usr/bin/python<br>
<br>
import sys, time, socket<br>
<br>
t = time.strftime('%Y-%m-%dT%H:%M:%S')<br>
hostname = None<br>
ipaddress = None<br>
trap = None<br>
oids = []<br>
<br>
for line in sys.stdin:<br>
if not hostname:<br>
hostname = line.strip()<br>
elif not ipaddress:<br>
ipaddress = line.strip()<br>
else:<br>
(n, v) = line.split('=', 1)<br>
if n.strip() == "SNMPv2-MIB::snmpTrapOID.0":<br>
(base, real) = v.strip().split('::', 1)<br>
trap = real<br>
else:<br>
if n.find('::') > 0:<br>
(base, real) = n.strip().split('::', 1)<br>
oids.append("%s='%s'" % (real, v.strip('\'"\n ')))<br>
else:<br>
oids.append("%s='%s'" % (n.strip(), v.strip('\'"\n
')))<br>
<br>
oids.reverse()<br>
<br>
if hostname == "<UNKNOWN>":<br>
b = ipaddress.find('[')<br>
e = ipaddress.find(']')<br>
if e > 0 and b > 0:<br>
hostname = ipaddress[b+1:e]<br>
else:<br>
hostname = ipaddress<br>
<br>
sock = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM)<br>
sock.connect("/dev/log.snmp")<br>
sock.sendall("%s %s snmptrap: %s; %s" % (t, hostname, trap, ',
'.join(oids)))<br>
sock.close()<br>
<br>
<br>
/etc/syslog-ng/syslog-ng.conf<br>
<br>
[...]<br>
<br>
source snmp <br>
{<br>
unix-stream(<br>
"/dev/log.snmp"<br>
keep_timestamp(yes)<br>
keep_hostname(yes)<br>
);<br>
};<br>
<br>
[...]<br>
<br>
This way the hostname and timestamp are preserved, the SNMP trap
is nicely collapsed to a single line and formatted according to
the matching MIB definition. All MIBs are loaded from
/etc/snmp/mibs and if you need to add one more, just drop it into
that folder and reload snmptrapd.<br>
<br>
Balint<br>
<br>
</tt><br>
On 08/17/2011 11:17 PM, Smart, Dan wrote:
<blockquote
cite="mid:D1BCC17A53EE244095A31BEAF4AED3CEFA183063@JAXExch003.na.vul.com"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=ISO-8859-1">
<meta name="Generator" content="Microsoft Word 12 (filtered
medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri","sans-serif";
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal">My interest is in network device syslog and
traps.<o:p></o:p></p>
<p class="MsoNormal">I’m trying to receive traps, and then
process them in Simple Event Correlator (SEC). I’ve got SEC
working fine with standard remote syslog.<o:p></o:p></p>
<p class="MsoNormal">After reading everything I could find, I
found a discussion from 2008 about losing the source hostname
when sending the trap to syslog. <o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">I’m trying the source program method, and
eliminating multi-line traps.<o:p></o:p></p>
<p class="MsoNormal">As I understand that syslog-ng is looking
for Standard Out from the program, I specified –f in
snmptrapd to stop forking, and –Lo to send output to standard
output. I’m getting nothing in my d_debug file. Any
suggestions? <o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">There is also a web page with a filter and
rewrite recipe for traps. Not sure why I need this if I am
sending the trap directly to SEC. <o:p></o:p></p>
<p class="MsoNormal">See <a moz-do-not-send="true"
href="https://lists.balabit.hu/pipermail/syslog-ng/2008-November/012200.html">https://lists.balabit.hu/pipermail/syslog-ng/2008-November/012200.html</a><o:p></o:p></p>
<p class="MsoNormal">And <a moz-do-not-send="true"
href="http://bazsi.blogs.balabit.com/2008/11/syslog-ng-3-0-and-snmp-traps/">http://bazsi.blogs.balabit.com/2008/11/syslog-ng-3-0-and-snmp-traps/</a><o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">-=Dan=-<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">========= syslog-ng.conf =================<o:p></o:p></p>
<p class="MsoNormal"><span style="font-size: 10pt; font-family:
Consolas;">#<br>
options {<br>
long_<u><span style="color: red;">hostnames</span></u>(off);<br>
use_<u><span style="color: red;">dns</span></u>(yes);<br>
use_<u><span style="color: red;">fqdn</span></u>(no);<br>
keep_<u><span style="color: red;">hostname</span></u>(yes);<br>
owner("root");<br>
group("<u><span style="color: red;">adm</span></u>");<br>
perm(0640);<br>
stats_<u><span style="color: red;">freq</span></u>(0);<br>
bad_<u><span style="color: red;">hostname</span></u>("^<u><span
style="color: red;">gconfd</span></u>$");<br>
ts_format(<u><span style="color: red;">iso</span></u>);<br>
flush_lines(100);<br>
log_fetch_limit(100);<br>
log_<u><span style="color: red;">fifo</span></u>_size(2048);<br>
<u><span style="color: red;">dir</span></u>_perm(0755);<br>
};<br>
<br>
source s_program { <o:p></o:p></span></p>
<p class="MsoNormal" style="text-indent: 0.5in;"><span
style="font-size: 10pt; font-family: Consolas;">program("/<u><span
style="color: red;">usr</span></u>/<u><span
style="color: red;">sbin</span></u>/<u><span
style="color: red;">snmptrapd</span></u> -a -f -Lo --<u><span
style="color: red;">disableAuthorization</span></u>=yes",
flags(no-<u><span style="color: red;">multi</span></u>-line));
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size: 10pt; font-family:
Consolas;">};<br>
<br>
destination d_debug {<br>
file("/var/log/<u><span style="color: red;">syslog</span></u>-<u><span
style="color: red;">ng</span></u>-debug"<br>
owner(root) group(root) perm(0600) <u><span
style="color: red;">dir</span></u>_perm(0700) create_<u><span
style="color: red;">dirs</span></u>(yes));<br>
};<br>
<br>
destination d_<u><span style="color: red;">sec</span></u> {<br>
program("/<u><span style="color: red;">usr</span></u>/local/bin/<u><span
style="color: red;">sec</span></u> -input=\"-\" -<u><span
style="color: red;">conf</span></u>=/<u><span
style="color: red;">usr</span></u>/local/<u><span
style="color: red;">etc</span></u>/<u><span
style="color: red;">sec</span></u>.<u><span
style="color: red;">conf</span></u>"<br>
flags(no-<u><span style="color: red;">multi</span></u>-line)
);<br>
};<br>
<br>
</span><o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">log {<o:p></o:p></p>
<p class="MsoNormal"> source(s_program);<o:p></o:p></p>
<p class="MsoNormal"> destination(d_sec);
destination(d_debug);<o:p></o:p></p>
<p class="MsoNormal"> flags(flow-control);<o:p></o:p></p>
<p class="MsoNormal">};<o:p></o:p></p>
</div>
<pre wrap="">
<fieldset class="mimeAttachmentHeader"></fieldset>
______________________________________________________________________________
Member info: <a class="moz-txt-link-freetext" href="https://lists.balabit.hu/mailman/listinfo/syslog-ng">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a>
Documentation: <a class="moz-txt-link-freetext" href="http://www.balabit.com/support/documentation/?product=syslog-ng">http://www.balabit.com/support/documentation/?product=syslog-ng</a>
FAQ: <a class="moz-txt-link-freetext" href="http://www.balabit.com/wiki/syslog-ng-faq">http://www.balabit.com/wiki/syslog-ng-faq</a>
</pre>
</blockquote>
</body>
</html>