Hello,
First of all, i started to use syslog-ng on Ubuntu a few days ago
and it seams a great syslog server.
But today i stumble on a problem.
I configured snmptrapd with TRAPDOPTS='-Lsd ' and this means that
snmptrapd will send the trap received to syslog-ng.
Now, syslog-ng puts those traps by default in /var/log/syslog
because of this default configurations:
source s_src { unix-dgram("/dev/log"); internal();
file("/proc/kmsg" program_override("kernel"));
destination d_syslog { file("/var/log/syslog"); };
filter f_syslog3 { not facility(auth, authpriv, mail) and not
filter(f_debug); };
log { source(s_src); filter(f_syslog3); destination(d_syslog); };
What i want to acomplish is to have traps from diferent host put in
diferent files, not all together in the same file like it happens
now.
At first i tried to filter based on the host's ip address that was
sending the trap, but i realized that the snmptrapd process is the
one that sends the trap to syslog-ng process, not the device
directly:
Aug 29 11:42:48 Dell snmptrapd[3801]: 2011-08-29 11:42:43
10.90.0.252 [UDP: [10.90.0.252]:49364->[192.168.53.151]]:
iso.3.6.1.2.1.1.3.0 = Timeticks: (1563318974) 180 days,
22:33:09.74
iso.3.6.1.6.3.1.1.4.1.0 = OID: iso.3.6.1.4.1.9.9.41.2.0.1
iso.3.6.1.4.1.9.9.41.1.2.3.1.2.31 = STRING: "LINK"
iso.3.6.1.4.1.9.9.41.1.2.3.1.3.31 = INTEGER: 4
iso.3.6.1.4.1.9.9.41.1.2.3.1.4.31 = STRING: "UPDOWN"
iso.3.6.1.4.1.9.9.41.1.2.3.1.5.31 = STRING: "Interface Serial0/0/0,
changed state to down"
iso.3.6.1.4.1.9.9.41.1.2.3.1.6.31 = Timeticks: (1563318974) 180
days, 22:33:09.74
So maibe you have done this - how can i filter based on the program
that it sending the message (like snmptrapd). And also, can filters
based on the text itself can be used? Like:
- if the mesage contains "10.90.0.252 [UDP:
[10.90.0.252]:XXXXX->[192.168.53.151]" put the mesage in "this"
file
- if the mesage contains "10.90.1.22 [UDP:
[10.90.1.22]:XXXXX->[192.168.53.151]" put the mesage in "that"
file
Thanks
--