Hi Dan, when I do something like this, I usually take a different approach, I use a script called from snmptrapd to write the log message to a socket. If you use something different than /dev/log (e.g. /dev/log.snmp), it's also easier to filter on the message. I am not sure if SEC has pre-defined rules for traps, but if not, this is probably easier to handle of you are not using a LOT of traps. If it's just port-security violations and link up/down messages on a moderately sized network, it should work fine. So in my setup this usually looks like: /etc/snmp/snmp.conf mibdirs +/usr/share/snmp/mibs/:/etc/snmp/mibs/ mibs +ALL mibwarninglevel 1 logtimestamp yes printnumericenums no printnumericoids no suffixprinting 0 /etc/snmp/snmptrapd.conf # syslog-ng configuration doNotRetainNotificationLogs yes doNotLogTraps yes snmpTrapdAddr 0.0.0.0:162 authCommunity execute public logOption s 10 outputOption Q traphandle default /usr/local/bin/traptosyslog /usr/local/bin/traptosyslog #!/usr/bin/python import sys, time, socket t = time.strftime('%Y-%m-%dT%H:%M:%S') hostname = None ipaddress = None trap = None oids = [] for line in sys.stdin: if not hostname: hostname = line.strip() elif not ipaddress: ipaddress = line.strip() else: (n, v) = line.split('=', 1) if n.strip() == "SNMPv2-MIB::snmpTrapOID.0": (base, real) = v.strip().split('::', 1) trap = real else: if n.find('::') > 0: (base, real) = n.strip().split('::', 1) oids.append("%s='%s'" % (real, v.strip('\'"\n '))) else: oids.append("%s='%s'" % (n.strip(), v.strip('\'"\n '))) oids.reverse() if hostname == "<UNKNOWN>": b = ipaddress.find('[') e = ipaddress.find(']') if e > 0 and b > 0: hostname = ipaddress[b+1:e] else: hostname = ipaddress sock = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM) sock.connect("/dev/log.snmp") sock.sendall("%s %s snmptrap: %s; %s" % (t, hostname, trap, ', '.join(oids))) sock.close() /etc/syslog-ng/syslog-ng.conf [...] source snmp { unix-stream( "/dev/log.snmp" keep_timestamp(yes) keep_hostname(yes) ); }; [...] This way the hostname and timestamp are preserved, the SNMP trap is nicely collapsed to a single line and formatted according to the matching MIB definition. All MIBs are loaded from /etc/snmp/mibs and if you need to add one more, just drop it into that folder and reload snmptrapd. Balint On 08/17/2011 11:17 PM, Smart, Dan wrote:
My interest is in network device syslog and traps.
I'm trying to receive traps, and then process them in Simple Event Correlator (SEC). I've got SEC working fine with standard remote syslog.
After reading everything I could find, I found a discussion from 2008 about losing the source hostname when sending the trap to syslog.
I'm trying the source program method, and eliminating multi-line traps.
As I understand that syslog-ng is looking for Standard Out from the program, I specified --f in snmptrapd to stop forking, and --Lo to send output to standard output. I'm getting nothing in my d_debug file. Any suggestions?
There is also a web page with a filter and rewrite recipe for traps. Not sure why I need this if I am sending the trap directly to SEC.
See https://lists.balabit.hu/pipermail/syslog-ng/2008-November/012200.html
And http://bazsi.blogs.balabit.com/2008/11/syslog-ng-3-0-and-snmp-traps/
-=Dan=-
========= syslog-ng.conf =================
# options { long__hostnames_(off); use__dns_(yes); use__fqdn_(no); keep__hostname_(yes); owner("root"); group("_adm_"); perm(0640); stats__freq_(0); bad__hostname_("^_gconfd_$"); ts_format(_iso_); flush_lines(100); log_fetch_limit(100); log__fifo__size(2048); _dir__perm(0755); };
source s_program {
program("/_usr_/_sbin_/_snmptrapd_ -a -f -Lo --_disableAuthorization_=yes", flags(no-_multi_-line));
};
destination d_debug { file("/var/log/_syslog_-_ng_-debug" owner(root) group(root) perm(0600) _dir__perm(0700) create__dirs_(yes)); };
destination d__sec_ { program("/_usr_/local/bin/_sec_ -input=\"-\" -_conf_=/_usr_/local/_etc_/_sec_._conf_" flags(no-_multi_-line) ); };
log {
source(s_program);
destination(d_sec); destination(d_debug);
flags(flow-control);
};
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq