Hi, Does anybody on this fine list handle SNMP traps using syslog-ng? We used to just forward logs using syslog and snmptrapd as suggested on an old blog post from Baszi. The problem with this approach is that the messages are flat. We would actually like to parse all the key-values from the original payload, anyone done that before? Thanks!
When you say you "would actually like to parse all the key-values from the original payload" what do you mean? Do you want to process them with syslog-ng filters etc, or are you feeding this to another type of structured worker thread? Evan. On 06/09/2015 05:36 AM, Fabien Wernli wrote:
Hi,
Does anybody on this fine list handle SNMP traps using syslog-ng? We used to just forward logs using syslog and snmptrapd as suggested on an old blog post from Baszi.
The problem with this approach is that the messages are flat. We would actually like to parse all the key-values from the original payload, anyone done that before?
Thanks!
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
Hi, On Tue, Jun 09, 2015 at 06:26:40AM -0700, Evan Rempel wrote:
When you say you "would actually like to parse all the key-values from the original payload" what do you mean? Do you want to process them with syslog-ng filters etc, or are you feeding this to another type of structured worker thread?
I'd like to basically have the structured SNMP message parsed in syslog-ng, in the same way json-parser() parses JSON payload, and makes the key-values available as macros in syslog-ng.
We are not quite doing this, but it would not be too difficult to make this perl script produce json output, and have syslog-ng parse the source as json input. The attached script gets configuration details and creates its own logs via private packages, but they are easy to replace. Be careful to provide the PID file and the IP address to listen on. The "good stuff" is in the "sub writeBuff" where the list of name value pairs is produced. You could split eah of these on the " = " giving you the name/value pairs themselves and then populate a json object before printing it to the standard output. We run this script as source snmptrapd { program("/opt/flare/bin/flare-snmptrap" flags(expect-hostname) keep-hostname(yes) tags("snmptrap")); }; because the script currently outputs syslog formatted messasges. Hope this is a good starting point. On 06/09/2015 07:29 AM, Fabien Wernli wrote:
Hi,
On Tue, Jun 09, 2015 at 06:26:40AM -0700, Evan Rempel wrote:
When you say you "would actually like to parse all the key-values from the original payload" what do you mean? Do you want to process them with syslog-ng filters etc, or are you feeding this to another type of structured worker thread? I'd like to basically have the structured SNMP message parsed in syslog-ng, in the same way json-parser() parses JSON payload, and makes the key-values available as macros in syslog-ng.
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
-- Evan Rempel erempel@uvic.ca Senior Systems Administrator 250.721.7691 Data Centre Services, University Systems, University of Victoria
Hi, Thanks a lot Evan, we'll definitely look into your solution. That being said, I think I'm missing the perl module that comes with your script. Is that available online somewhere? Cheers
Which perl module? use POSIX; use JSON; use Data::Dumper; use FLARE::Logger; use FLARE::Config; --------- use POSIX; use JSON; These should be easy to come by. They should be in your distribution, and they are on CPAN. use Data::Dumper; Was just used for testing and is not needed, although it should be standard. use FLARE::Logger; use FLARE::Config; are custom and only apply to our environment. It should not be too difficult to guess at what they do and substitute your own methods. You will have to modify the script (sub writeBuff) to place the @nameValues into a json object and output that instead of the normal syslog message string. Is there something I am missing? Evan. On 06/11/2015 01:45 AM, Fabien Wernli wrote:
Hi,
Thanks a lot Evan, we'll definitely look into your solution. That being said, I think I'm missing the perl module that comes with your script. Is that available online somewhere?
On Thu, Jun 11, 2015 at 08:15:10AM -0700, Evan Rempel wrote:
use FLARE::Logger; use FLARE::Config;
At first read I thought these were doing all the heavy lifting. Must have been wrong, sorry for the noise!
participants (2)
-
Evan Rempel
-
Fabien Wernli