<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=ISO-8859-1">
</head>
<body text="#000000" bgcolor="#ffffff">
Hello,<br>
First of all, i started to use syslog-ng on Ubuntu a few days ago
and it seams a great syslog server.<br>
<br>
But today i stumble on a problem.<br>
<br>
<br>
I configured snmptrapd with TRAPDOPTS='-Lsd ' and this means that
snmptrapd will send the trap received to syslog-ng.<br>
Now, syslog-ng puts those traps by default in /var/log/syslog
because of this default configurations:<br>
<br>
source s_src { unix-dgram("/dev/log"); internal();<br>
file("/proc/kmsg" program_override("kernel"));<br>
destination d_syslog { file("/var/log/syslog"); };<br>
filter f_syslog3 { not facility(auth, authpriv, mail) and not
filter(f_debug); };<br>
log { source(s_src); filter(f_syslog3); destination(d_syslog); };<br>
<br>
What i want to acomplish is to have traps from diferent host put in
diferent files, not all together in the same file like it happens
now.<br>
At first i tried to filter based on the host's ip address that was
sending the trap, but i realized that the snmptrapd process is the
one that sends the trap to syslog-ng process, not the device
directly:<br>
<br>
Aug 29 11:42:48 Dell <b>snmptrapd</b>[3801]: 2011-08-29 11:42:43
10.90.0.252 [UDP: [10.90.0.252]:49364->[192.168.53.151]]:<br>
iso.3.6.1.2.1.1.3.0 = Timeticks: (1563318974) 180 days,
22:33:09.74 <br>
iso.3.6.1.6.3.1.1.4.1.0 = OID: iso.3.6.1.4.1.9.9.41.2.0.1 <br>
iso.3.6.1.4.1.9.9.41.1.2.3.1.2.31 = STRING: "LINK" <br>
iso.3.6.1.4.1.9.9.41.1.2.3.1.3.31 = INTEGER: 4 <br>
iso.3.6.1.4.1.9.9.41.1.2.3.1.4.31 = STRING: "UPDOWN" <br>
iso.3.6.1.4.1.9.9.41.1.2.3.1.5.31 = STRING: "Interface Serial0/0/0,
changed state to down" <br>
iso.3.6.1.4.1.9.9.41.1.2.3.1.6.31 = Timeticks: (1563318974) 180
days, 22:33:09.74<br>
<br>
<br>
<br>
So maibe you have done this - how can i filter based on the program
that it sending the message (like snmptrapd). And also, can filters
based on the text itself can be used? Like:<br>
- if the mesage contains "10.90.0.252 [UDP:
[10.90.0.252]:XXXXX->[192.168.53.151]" put the mesage in "this"
file <br>
- if the mesage contains "10.90.1.22 [UDP:
[10.90.1.22]:XXXXX->[192.168.53.151]" put the mesage in "that"
file<br>
Thanks<br>
<br>
<pre class="moz-signature" cols="72">--
</pre>
</body>
</html>