Hi Dan,

when I do something like this, I usually take a different approach, I use a script called from snmptrapd to write the log message to a socket. If you use something different than /dev/log (e.g. /dev/log.snmp), it's also easier to filter on the message. I am not sure if SEC has pre-defined rules for traps, but if not, this is probably easier to handle of you are not using a LOT of traps. If it's just port-security violations and link up/down messages on a moderately sized network, it should work fine.

So in my setup this usually looks like:

/etc/snmp/snmp.conf

mibdirs +/usr/share/snmp/mibs/:/etc/snmp/mibs/
mibs  +ALL
mibwarninglevel  1
logtimestamp  yes
printnumericenums  no
printnumericoids  no
suffixprinting  0


/etc/snmp/snmptrapd.conf

# syslog-ng configuration
doNotRetainNotificationLogs yes
doNotLogTraps yes
snmpTrapdAddr 0.0.0.0:162
authCommunity execute public
logOption s 10
outputOption Q
traphandle default /usr/local/bin/traptosyslog


/usr/local/bin/traptosyslog

#!/usr/bin/python

import sys, time, socket

t = time.strftime('%Y-%m-%dT%H:%M:%S')
hostname = None
ipaddress = None
trap = None
oids = []

for line in sys.stdin:
    if not hostname:
        hostname = line.strip()
    elif not ipaddress:
        ipaddress = line.strip()
    else:
        (n, v) = line.split('=', 1)
        if n.strip() == "SNMPv2-MIB::snmpTrapOID.0":
            (base, real) = v.strip().split('::', 1)
            trap = real
        else:
            if n.find('::') > 0:
                (base, real) = n.strip().split('::', 1)
                oids.append("%s='%s'" % (real, v.strip('\'"\n ')))
            else:
                oids.append("%s='%s'" % (n.strip(), v.strip('\'"\n ')))

oids.reverse()

if hostname == "<UNKNOWN>":
    b = ipaddress.find('[')
    e = ipaddress.find(']')
    if e > 0 and b > 0:
        hostname = ipaddress[b+1:e]
    else:
        hostname = ipaddress

sock = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM)
sock.connect("/dev/log.snmp")
sock.sendall("%s %s snmptrap: %s; %s" % (t, hostname, trap, ', '.join(oids)))
sock.close()


/etc/syslog-ng/syslog-ng.conf

[...]

source snmp
  {
     unix-stream(
        "/dev/log.snmp"
        keep_timestamp(yes)
        keep_hostname(yes)
     );
  };

[...]

This way the hostname and timestamp are preserved, the SNMP trap is nicely collapsed to a single line and formatted according to the matching MIB definition. All MIBs are loaded from /etc/snmp/mibs and if you need to add one more, just drop it into that folder and reload snmptrapd.

Balint


On 08/17/2011 11:17 PM, Smart, Dan wrote:

My interest is in network device syslog and traps.

I’m trying to receive traps, and then process them in Simple Event Correlator (SEC).  I’ve got SEC working fine with standard remote syslog.

After reading everything I could find, I found a discussion from 2008 about losing the source hostname when sending the trap to syslog. 

 

I’m trying the source program method, and eliminating multi-line traps.

As I understand that syslog-ng is looking for Standard Out from the program, I specified –f  in snmptrapd to stop forking, and –Lo to send output to standard output.  I’m getting nothing in  my d_debug file.  Any suggestions? 

 

There is also a web page with a filter and rewrite recipe for traps.  Not sure why I need this if I am sending the trap directly to SEC. 

See https://lists.balabit.hu/pipermail/syslog-ng/2008-November/012200.html

And http://bazsi.blogs.balabit.com/2008/11/syslog-ng-3-0-and-snmp-traps/

 

-=Dan=-

 

========= syslog-ng.conf =================

#
options {
        long_hostnames(off);
        use_dns(yes);
        use_fqdn(no);
        keep_hostname(yes);
        owner("root");
        group("adm");
        perm(0640);
        stats_freq(0);
        bad_hostname("^gconfd$");
        ts_format(iso);
        flush_lines(100);
        log_fetch_limit(100);
        log_fifo_size(2048);
        dir_perm(0755);
};

source s_program {

program("/usr/sbin/snmptrapd -a -f -Lo --disableAuthorization=yes", flags(no-multi-line));

};

destination d_debug {
   file("/var/log/syslog-ng-debug"
   owner(root) group(root) perm(0600) dir_perm(0700) create_dirs(yes));
};

destination d_sec {
        program("/usr/local/bin/sec -input=\"-\" -conf=/usr/local/etc/sec.conf"
        flags(no-multi-line) );
};

 

log {

        source(s_program);

        destination(d_sec); destination(d_debug);

        flags(flow-control);

};


______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq