Have a requirement to convert all incoming syslogs to SNMP traps and send it to another host. One option I could think of is to use program () destination. When I tried this option, I find that syslog-ng is continuously sending newline characters to the specified program. i.e. even when no syslog is received, syslog-ng seems to be pumping newline chars to the specified program. Also I read the warning message in admin guide that, it will open up the door to DOS attack. Could someone let me know the best way to achieve this, please ? Thanks in advance for the help. John
I think program() is the best bet for you. I haven't had anything like that happen when using program(). What version of syslog-ng are you using? I don't think syslog-ng is sending newlines, but your script may be interpreting "silence" from syslog-ng as nothing and appending a newline or something. If you post a snippet from your script showing how it's reading from syslog-ng, that would help. It would also help to see the config relevant to the program() destination. On Thu, Dec 9, 2010 at 12:27 PM, Jay <difficult_id@yahoo.com> wrote:
Have a requirement to convert all incoming syslogs to SNMP traps and send it to another host. One option I could think of is to use program () destination.
When I tried this option, I find that syslog-ng is continuously sending newline characters to the specified program. i.e. even when no syslog is received, syslog-ng seems to be pumping newline chars to the specified program.
Also I read the warning message in admin guide that, it will open up the door to DOS attack.
Could someone let me know the best way to achieve this, please ?
Thanks in advance for the help. John
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
My advice, Net-SNMP via Perl if Perl is fast enough. Otherwise next easiest would be Westhawk SNMP via Java. If that won't work then Net-SNMP via C or SNMP++ via C++ is the fastest there is. I have a lot of experience writing SNMP network management software so I can try to get you straightened out if you run into trouble. Matthew. On Thu, Dec 09, 2010 at 01:05:26PM -0600, Martin Holste wrote:
I think program() is the best bet for you. I haven't had anything like that happen when using program(). What version of syslog-ng are you using? I don't think syslog-ng is sending newlines, but your script may be interpreting "silence" from syslog-ng as nothing and appending a newline or something. If you post a snippet from your script showing how it's reading from syslog-ng, that would help. It would also help to see the config relevant to the program() destination.
On Thu, Dec 9, 2010 at 12:27 PM, Jay <difficult_id@yahoo.com> wrote:
Have a requirement to convert all incoming syslogs to SNMP traps and send it to another host. One option I could think of is to use program () destination.
When I tried this option, I find that syslog-ng is continuously sending newline characters to the specified program. i.e. even when no syslog is received, syslog-ng seems to be pumping newline chars to the specified program.
Also I read the warning message in admin guide that, it will open up the door to DOS attack.
Could someone let me know the best way to achieve this, please ?
Thanks in advance for the help. John
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
hi, I just happened to be thinking about SNMP support. Cisco seems to have a MIB for syslog->snmp translation. So if anyone volunteers to anything related, I think this should be followed: http://tools.cisco.com/Support/SNMP/do/BrowseOID.do?objectInput=clogMessageG... On Thu, 2010-12-09 at 11:54 -0800, Matthew Hall wrote:
My advice, Net-SNMP via Perl if Perl is fast enough.
Otherwise next easiest would be Westhawk SNMP via Java.
If that won't work then Net-SNMP via C or SNMP++ via C++ is the fastest there is.
I have a lot of experience writing SNMP network management software so I can try to get you straightened out if you run into trouble.
Matthew.
On Thu, Dec 09, 2010 at 01:05:26PM -0600, Martin Holste wrote:
I think program() is the best bet for you. I haven't had anything like that happen when using program(). What version of syslog-ng are you using? I don't think syslog-ng is sending newlines, but your script may be interpreting "silence" from syslog-ng as nothing and appending a newline or something. If you post a snippet from your script showing how it's reading from syslog-ng, that would help. It would also help to see the config relevant to the program() destination.
On Thu, Dec 9, 2010 at 12:27 PM, Jay <difficult_id@yahoo.com> wrote:
Have a requirement to convert all incoming syslogs to SNMP traps and send it to another host. One option I could think of is to use program () destination.
When I tried this option, I find that syslog-ng is continuously sending newline characters to the specified program. i.e. even when no syslog is received, syslog-ng seems to be pumping newline chars to the specified program.
Also I read the warning message in admin guide that, it will open up the door to DOS attack.
Could someone let me know the best way to achieve this, please ?
-- Bazsi
If this is for Cisco boxes, you can use: snmp-server enable traps syslog This will generate a trap using the enterprise oid of 1.3.6.1.4.1.9.9.41.2 ______________________________________________________________ Clayton Dukes ______________________________________________________________ On Thu, Dec 9, 2010 at 3:24 PM, Balazs Scheidler <bazsi@balabit.hu> wrote:
hi,
I just happened to be thinking about SNMP support. Cisco seems to have a MIB for syslog->snmp translation. So if anyone volunteers to anything related, I think this should be followed:
http://tools.cisco.com/Support/SNMP/do/BrowseOID.do?objectInput=clogMessageG...
On Thu, 2010-12-09 at 11:54 -0800, Matthew Hall wrote:
My advice, Net-SNMP via Perl if Perl is fast enough.
Otherwise next easiest would be Westhawk SNMP via Java.
If that won't work then Net-SNMP via C or SNMP++ via C++ is the fastest there is.
I have a lot of experience writing SNMP network management software so I can try to get you straightened out if you run into trouble.
Matthew.
On Thu, Dec 09, 2010 at 01:05:26PM -0600, Martin Holste wrote:
I think program() is the best bet for you. I haven't had anything like that happen when using program(). What version of syslog-ng are you using? I don't think syslog-ng is sending newlines, but your script may be interpreting "silence" from syslog-ng as nothing and appending a newline or something. If you post a snippet from your script showing how it's reading from syslog-ng, that would help. It would also help to see the config relevant to the program() destination.
On Thu, Dec 9, 2010 at 12:27 PM, Jay <difficult_id@yahoo.com> wrote:
Have a requirement to convert all incoming syslogs to SNMP traps and send it to another host. One option I could think of is to use program () destination.
When I tried this option, I find that syslog-ng is continuously sending newline characters to the specified program. i.e. even when no syslog is received, syslog-ng seems to be pumping newline chars to the specified program.
Also I read the warning message in admin guide that, it will open up the door to DOS attack.
Could someone let me know the best way to achieve this, please ?
-- Bazsi
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
On Thu, Dec 09, 2010 at 04:12:36PM -0500, Clayton Dukes wrote:
If this is for Cisco boxes, you can use: snmp-server enable traps syslog
This will generate a trap using the enterprise oid of 1.3.6.1.4.1.9.9.41.2
I used to work at HP ProCurve. Their boxes can also send SNMPv1 log traps with the right commands and firmware. Matthew.
Many Thanks to all those who replied. Martin: It is version 2.0.3 Thank you for the hint. Now have fixed the issue in my program and is working fine as expected. It doesn't send the new line chars any more. I am copy-pasting the config and program. Please let me know, if it can still be improved. syslog-ng.conf: destination convert_syslog_to_trap { program ("/tmp/convertSyslogToTrap"); }; cat /tmp/convertSyslogToTrap: #!/bin/bash read syslog # Process the syslog message and forward it as trap using /usr/local/bin/snmptrap Mathew: I do use Net-SNMP to an extent with embedded perl. But mostly I use it for receiving SNMP traps. Do you mean that, it provides a facility to receive syslogs as well ? If so, would be interested to use that feature. Are they any comparision chars available between Net-SNMP syslog receiving capability and syslog-ng capability ? Balazs & Clayton This request is not specific to Cisco devices and requirement is to handle syslogs. Also, it is not possible to suggest to my customer to configure devices to send traps for syslogs. --- On Thu, 12/9/10, Martin Holste <mcholste@gmail.com> wrote: From: Martin Holste <mcholste@gmail.com> Subject: Re: [syslog-ng] Convert syslog to traps To: difficult_id@yahoo.com, "Syslog-ng users' and developers' mailing list" <syslog-ng@lists.balabit.hu> Date: Thursday, December 9, 2010, 2:05 PM I think program() is the best bet for you. I haven't had anything like that happen when using program(). What version of syslog-ng are you using? I don't think syslog-ng is sending newlines, but your script may be interpreting "silence" from syslog-ng as nothing and appending a newline or something. If you post a snippet from your script showing how it's reading from syslog-ng, that would help. It would also help to see the config relevant to the program() destination. On Thu, Dec 9, 2010 at 12:27 PM, Jay <difficult_id@yahoo.com> wrote: Have a requirement to convert all incoming syslogs to SNMP traps and send it to another host. One option I could think of is to use program () destination. When I tried this option, I find that syslog-ng is continuously sending newline characters to the specified program. i.e. even when no syslog is received, syslog-ng seems to be pumping newline chars to the specified program. Also I read the warning message in admin guide that, it will open up the door to DOS attack. Could someone let me know the best way to achieve this, please ? Thanks in advance for the help. John ______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
Your config looks fine for syslog-ng as far as the destination is concerned. It's really that simple. Depending on your load, go with what works, but a bash script will probably be a lot less efficient than a Perl script as the program. The Net::SNMP Perl module provides a way to send snmp traps. From the module man page: ($session, $error) = Net::SNMP->session( [-hostname => $hostname,] [-port => $port,] ... lots more options possible ... $result = $session->snmpv2_trap( [-delay => $seconds,] # non-blocking -varbindlist => \@oid_value, ); See Bazsi's earlier comment about picking what OID to use. A small, properly written script should perform extremely well. I'd guess that on older hardware it would send 5-10k traps/sec without too much of an issue. Again though, if what you've got works, no reason to change it yet. On Fri, Dec 10, 2010 at 9:53 AM, Jay <difficult_id@yahoo.com> wrote:
Many Thanks to all those who replied.
Martin:
It is version 2.0.3
Thank you for the hint. Now have fixed the issue in my program and is working fine as expected. It doesn't send the new line chars any more. I am copy-pasting the config and program. Please let me know, if it can still be improved.
syslog-ng.conf: destination convert_syslog_to_trap { program ("/tmp/convertSyslogToTrap"); };
cat /tmp/convertSyslogToTrap: #!/bin/bash read syslog # Process the syslog message and forward it as trap using /usr/local/bin/snmptrap
Mathew:
I do use Net-SNMP to an extent with embedded perl. But mostly I use it for receiving SNMP traps. Do you mean that, it provides a facility to receive syslogs as well ? If so, would be interested to use that feature. Are they any comparision chars available between Net-SNMP syslog receiving capability and syslog-ng capability ?
Balazs & Clayton
This request is not specific to Cisco devices and requirement is to handle syslogs. Also, it is not possible to suggest to my customer to configure devices to send traps for syslogs.
--- On Thu, 12/9/10, Martin Holste <mcholste@gmail.com> wrote:
From: Martin Holste <mcholste@gmail.com> Subject: Re: [syslog-ng] Convert syslog to traps To: difficult_id@yahoo.com, "Syslog-ng users' and developers' mailing list" <syslog-ng@lists.balabit.hu> Date: Thursday, December 9, 2010, 2:05 PM
I think program() is the best bet for you. I haven't had anything like that happen when using program(). What version of syslog-ng are you using? I don't think syslog-ng is sending newlines, but your script may be interpreting "silence" from syslog-ng as nothing and appending a newline or something. If you post a snippet from your script showing how it's reading from syslog-ng, that would help. It would also help to see the config relevant to the program() destination.
On Thu, Dec 9, 2010 at 12:27 PM, Jay <difficult_id@yahoo.com> wrote:
Have a requirement to convert all incoming syslogs to SNMP traps and send it to another host. One option I could think of is to use program () destination.
When I tried this option, I find that syslog-ng is continuously sending newline characters to the specified program. i.e. even when no syslog is received, syslog-ng seems to be pumping newline chars to the specified program.
Also I read the warning message in admin guide that, it will open up the door to DOS attack.
Could someone let me know the best way to achieve this, please ?
Thanks in advance for the help. John
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
Martin Your solution to use perl script is working fine. Net::SNMP worked fine. Many thanks for all the help. --- On Fri, 12/10/10, Martin Holste <mcholste@gmail.com> wrote: From: Martin Holste <mcholste@gmail.com> Subject: Re: [syslog-ng] Convert syslog to traps To: difficult_id@yahoo.com Cc: "Syslog-ng users' and developers' mailing list" <syslog-ng@lists.balabit.hu> Date: Friday, December 10, 2010, 11:39 AM Your config looks fine for syslog-ng as far as the destination is concerned. It's really that simple. Depending on your load, go with what works, but a bash script will probably be a lot less efficient than a Perl script as the program. The Net::SNMP Perl module provides a way to send snmp traps. From the module man page: ($session, $error) = Net::SNMP->session( [-hostname => $hostname,] [-port => $port,] ... lots more options possible ... $result = $session->snmpv2_trap( [-delay => $seconds,] # non-blocking -varbindlist => \@oid_value, ); See Bazsi's earlier comment about picking what OID to use. A small, properly written script should perform extremely well. I'd guess that on older hardware it would send 5-10k traps/sec without too much of an issue. Again though, if what you've got works, no reason to change it yet. On Fri, Dec 10, 2010 at 9:53 AM, Jay <difficult_id@yahoo.com> wrote:
Many Thanks to all those who replied.
Martin:
It is version 2.0.3
Thank you for the hint. Now have fixed the issue in my program and is working fine as expected. It doesn't send the new line chars any more. I am copy-pasting the config and program. Please let me know, if it can still be improved.
syslog-ng.conf: destination convert_syslog_to_trap { program ("/tmp/convertSyslogToTrap"); };
cat /tmp/convertSyslogToTrap: #!/bin/bash read syslog # Process the syslog message and forward it as trap using /usr/local/bin/snmptrap
Mathew:
I do use Net-SNMP to an extent with embedded perl. But mostly I use it for receiving SNMP traps. Do you mean that, it provides a facility to receive syslogs as well ? If so, would be interested to use that feature. Are they any comparision chars available between Net-SNMP syslog receiving capability and syslog-ng capability ?
Balazs & Clayton
This request is not specific to Cisco devices and requirement is to handle syslogs. Also, it is not possible to suggest to my customer to configure devices to send traps for syslogs.
--- On Thu, 12/9/10, Martin Holste <mcholste@gmail.com> wrote:
From: Martin Holste <mcholste@gmail.com> Subject: Re: [syslog-ng] Convert syslog to traps To: difficult_id@yahoo.com, "Syslog-ng users' and developers' mailing list" <syslog-ng@lists.balabit.hu> Date: Thursday, December 9, 2010, 2:05 PM
I think program() is the best bet for you. I haven't had anything like that happen when using program(). What version of syslog-ng are you using? I don't think syslog-ng is sending newlines, but your script may be interpreting "silence" from syslog-ng as nothing and appending a newline or something. If you post a snippet from your script showing how it's reading from syslog-ng, that would help. It would also help to see the config relevant to the program() destination.
On Thu, Dec 9, 2010 at 12:27 PM, Jay <difficult_id@yahoo.com> wrote:
Have a requirement to convert all incoming syslogs to SNMP traps and send it to another host. One option I could think of is to use program () destination.
When I tried this option, I find that syslog-ng is continuously sending newline characters to the specified program. i.e. even when no syslog is received, syslog-ng seems to be pumping newline chars to the specified program.
Also I read the warning message in admin guide that, it will open up the door to DOS attack.
Could someone let me know the best way to achieve this, please ?
Thanks in advance for the help. John
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
participants (5)
-
Balazs Scheidler
-
Clayton Dukes
-
Jay
-
Martin Holste
-
Matthew Hall