[syslog-ng] snmptrapd and HOST macro mapping

joël Winteregg joel.winteregg at gmail.com
Thu Nov 13 21:18:40 CET 2008 

Hi,

Thanks again for your support.

> > Juste to know, does syslog-ng only use relay config statements
> > (keep_hostname, etc.) when the log source is defined as udp() or tcp() ?
> 
> no, keep_hostname is always applied. in 3.0, it is even possible to
> specify hostname related options on a per-source basis.
> 

Okay, interesting ! You can hardcode (into config file) a given HOST
macro value associated to a source config ?

> > I'm asking this, because I'm wondering if I forward my SNMP trap to
> > syslogd and then to syslog-ng through udp (@SYSLOG-COLLECTOR defined in
> > syslog.conf), syslog-ng will maybe see the SNMP trap as a compliant RFC
> > 3164 forwarded message ?
> 
> That wouldn't work. the problem is inherent in the syslog API, it does
> not let you change the hostname.

Okay, but here, what I wanted to achieve was the following. Log this
SNMP message using snmptrapd syslog functionality: 
"Nov 12 16:57:59 wlc02.mydomain.com Cold Start"

The given snmptrapd output message formatting (header): "Nov 12 16:57:59
wlc02.mydomain.com" set before every snmptrapd message is here to
provide a RFC 3164 compliant message => this should allow syslog-ng to
think that "Nov 12 16:57:59 wlc02.mydomain.com Cold Start" is a
forwarded syslog message ? If so, this would allow me to fetch
"wlc02.mydomain.com" as HOST macro using keep_hostname(on), no ?


>  The only way to work around that is to
> have snmptrapd to send its output to syslog-ng directly (and format the
> message according to the syslog protocol). There are multiple options:
> 
>   * pipe: make snmptrapd output go to a pipe, and reference this from
> syslog-ng; writing a pipe is about the same as writing a file, so this
> would probably work

Ahhh, yeah ! That's much easier than my relayed message style ! If, as I
did before, I format snmptrad message as follow (to a named pipe), it
should work:
"Nov 12 16:57:59 wlc02.mydomain.com Cold Start"

>   * program source: in 3.0, I introduced program source, which is
> basically a syslog-ng managed program, whose output is parsed as a
> syslog message, line by line.
> 

Okay, really interesting too ;-) It reads logs from stdout and stderr of
the given program ?

Will try this (named pipe stuff) before the csv-parser option. As I'm
also interested into csv-parser option I will invest time to try it too.
Will let you know about last-column-greedy.

Thanks again,

Regards.

Joël

More information about the syslog-ng mailing list