[syslog-ng] snmptrapd and HOST macro mapping

Balazs Scheidler bazsi at balabit.hu
Thu Nov 13 07:36:28 CET 2008

On Wed, 2008-11-12 at 23:32 +0100, joël Winteregg wrote:
> Hello Balazs,
> Thank you very much for you quick reply !
> The csv-xxx functionality looks really great. You're doing a really good
> job ! Thanks ! Indeed, today, I was looking for such a functionality
> into the doc ;-)
> I think I will try your proposal as soon as possible and I will let you
> know how it works in my use case.
> Juste to know, does syslog-ng only use relay config statements
> (keep_hostname, etc.) when the log source is defined as udp() or tcp() ?

no, keep_hostname is always applied. in 3.0, it is even possible to
specify hostname related options on a per-source basis.

> I'm asking this, because I'm wondering if I forward my SNMP trap to
> syslogd and then to syslog-ng through udp (@SYSLOG-COLLECTOR defined in
> syslog.conf), syslog-ng will maybe see the SNMP trap as a compliant RFC
> 3164 forwarded message ?

That wouldn't work. the problem is inherent in the syslog API, it does
not let you change the hostname. The only way to work around that is to
have snmptrapd to send its output to syslog-ng directly (and format the
message according to the syslog protocol). There are multiple options:

  * pipe: make snmptrapd output go to a pipe, and reference this from
syslog-ng; writing a pipe is about the same as writing a file, so this
would probably work
  * program source: in 3.0, I introduced program source, which is
basically a syslog-ng managed program, whose output is parsed as a
syslog message, line by line.

We use the latter in our syslog appliance.


More information about the syslog-ng mailing list