On Mon, 2011-08-29 at 12:12 +0300, Cosmin Neagu wrote:
Hello, First of all, i started to use syslog-ng on Ubuntu a few days ago and it seams a great syslog server.
But today i stumble on a problem.
I configured snmptrapd with TRAPDOPTS='-Lsd ' and this means that snmptrapd will send the trap received to syslog-ng. Now, syslog-ng puts those traps by default in /var/log/syslog because of this default configurations:
source s_src { unix-dgram("/dev/log"); internal(); file("/proc/kmsg" program_override("kernel")); destination d_syslog { file("/var/log/syslog"); }; filter f_syslog3 { not facility(auth, authpriv, mail) and not filter(f_debug); }; log { source(s_src); filter(f_syslog3); destination(d_syslog); };
What i want to acomplish is to have traps from diferent host put in diferent files, not all together in the same file like it happens now. At first i tried to filter based on the host's ip address that was sending the trap, but i realized that the snmptrapd process is the one that sends the trap to syslog-ng process, not the device directly:
Aug 29 11:42:48 Dell snmptrapd[3801]: 2011-08-29 11:42:43 10.90.0.252 [UDP: [10.90.0.252]:49364->[192.168.53.151]]: iso.3.6.1.2.1.1.3.0 = Timeticks: (1563318974) 180 days, 22:33:09.74 iso.3.6.1.6.3.1.1.4.1.0 = OID: iso.3.6.1.4.1.9.9.41.2.0.1 iso.3.6.1.4.1.9.9.41.1.2.3.1.2.31 = STRING: "LINK" iso.3.6.1.4.1.9.9.41.1.2.3.1.3.31 = INTEGER: 4 iso.3.6.1.4.1.9.9.41.1.2.3.1.4.31 = STRING: "UPDOWN" iso.3.6.1.4.1.9.9.41.1.2.3.1.5.31 = STRING: "Interface Serial0/0/0, changed state to down" iso.3.6.1.4.1.9.9.41.1.2.3.1.6.31 = Timeticks: (1563318974) 180 days, 22:33:09.74
So maibe you have done this - how can i filter based on the program that it sending the message (like snmptrapd). And also, can filters based on the text itself can be used? Like: - if the mesage contains "10.90.0.252 [UDP: [10.90.0.252]:XXXXX->[192.168.53.151]" put the mesage in "this" file - if the mesage contains "10.90.1.22 [UDP: [10.90.1.22]:XXXXX->[192.168.53.151]" put the mesage in "that" file Thanks
You can use the message() filter function to sort messages based on the message content. However it'd be best to tell snmptrapd to use a format that syslog-ng can properly parse. As it seems the message payload is almost like a syslog header, isn't it possible to tell snmptrapd to format a proper syslog header and use the name of the sender host as the $HOST portion of the syslog message? Any snmptrapd users here? -- Bazsi