Hello –

I set up snmptrapd to write to /var/log/snmptrapd.log and syslog-ng is configured to read from it like this …

source {

snmptrap(filename("/var/log/snmptrapd.log"));

};

… but /var/log/snmptrapd.log is not getting emptied, so it needs to be truncated every so often to avoid filling up the filesystem.

But the problem with truncating /var/log/snmptrapd.log is that we’re going to lose traps, since we get a lot of them.

When I was testing this syslog-ng snmptrap facility with a few traps a minute, I saw /var/log/snmptrapd.log empty, but with hundreds of traps incoming per second, it does not empty any more.

I have what looks like a work-around to the syslog-ng snmptrap handler/parser where …

1. 1) Snmptrapd 5.7.3 writes to syslog with -Lsd
2. 2) Syslog-ng 3.20 reads from syslog with system-journal()
3. 3) Rewrite the trap $MESSAGE with a series of “substitutions” (subst) into space separated key=value pairs
4. 4) point kv-parser() at $MESSAGE and specify “ “ as a separator
5. 5) delete the original $MESSAGE block

… but perhaps I didn’t have to do that, since perhaps I’m mis-using the snmptrap facility built into syslog-ng, and thus causing /var/log/snmptrapd.log to not empty.

Your comments and insights would be appreciated.

- Allen