[syslog-ng] snmptrapd and HOST macro mapping

Thu Nov 13 21:34:35 CET 2008

On Thu, 2008-11-13 at 21:18 +0100, joël Winteregg wrote:
> Hi,
> 
> Thanks again for your support.
> 
> > > Juste to know, does syslog-ng only use relay config statements
> > > (keep_hostname, etc.) when the log source is defined as udp() or tcp() ?
> > 
> > no, keep_hostname is always applied. in 3.0, it is even possible to
> > specify hostname related options on a per-source basis.
> > 
> 
> Okay, interesting ! You can hardcode (into config file) a given HOST
> macro value associated to a source config ?

Yes, there are two ways to do this:
 - host-override(): this is a new option, that let's you specify a fixed
hostname for each source, this effectively overrides the hostname
parsing routines
 - rewrite rule that changes the HOST value after parsing

The first looks like this:

pipe("/tmp/snmptrapd.pipe" host-override("overridden-host"));

everything coming from this pipe will use "overridden-host" as hostname.

The second one looks like this:

rewrite r_host { set("overridden-host" value("HOST")); };

The rewrite rule can even use macros, like this:

rewrite r_host { set("${HOST}-append" value("HOST")); };

This will append the string '-append' to the hostname.

> 
> > > I'm asking this, because I'm wondering if I forward my SNMP trap to
> > > syslogd and then to syslog-ng through udp (@SYSLOG-COLLECTOR defined in
> > > syslog.conf), syslog-ng will maybe see the SNMP trap as a compliant RFC
> > > 3164 forwarded message ?
> > 
> > That wouldn't work. the problem is inherent in the syslog API, it does
> > not let you change the hostname.
> 
> Okay, but here, what I wanted to achieve was the following. Log this
> SNMP message using snmptrapd syslog functionality: 
> "Nov 12 16:57:59 wlc02.mydomain.com Cold Start"
> 
> The given snmptrapd output message formatting (header): "Nov 12 16:57:59
> wlc02.mydomain.com" set before every snmptrapd message is here to
> provide a RFC 3164 compliant message => this should allow syslog-ng to
> think that "Nov 12 16:57:59 wlc02.mydomain.com Cold Start" is a
> forwarded syslog message ? If so, this would allow me to fetch
> "wlc02.mydomain.com" as HOST macro using keep_hostname(on), no ?
> 

you misunderstand the relayed message format. the header is not
duplicated in case a message is relayed, the format is still the same.

e.g. original message looks like this:
<7>Nov 12 16:57:59 wlc02.mydomain.com Cold Start

Then a relayed message looks the same, except in some cases the relay
host mangles the syslog header, and changes the hostname for instance.

> 
> >  The only way to work around that is to
> > have snmptrapd to send its output to syslog-ng directly (and format the
> > message according to the syslog protocol). There are multiple options:
> > 
> >   * pipe: make snmptrapd output go to a pipe, and reference this from
> > syslog-ng; writing a pipe is about the same as writing a file, so this
> > would probably work
> 
> Ahhh, yeah ! That's much easier than my relayed message style ! If, as I
> did before, I format snmptrad message as follow (to a named pipe), it
> should work:
> "Nov 12 16:57:59 wlc02.mydomain.com Cold Start"

yes. you might add a priority field though.

> 
> >   * program source: in 3.0, I introduced program source, which is
> > basically a syslog-ng managed program, whose output is parsed as a
> > syslog message, line by line.
> > 
> 
> Okay, really interesting too ;-) It reads logs from stdout and stderr of
> the given program ?

it only fetches the standard output.

> 
> Will try this (named pipe stuff) before the csv-parser option. As I'm
> also interested into csv-parser option I will invest time to try it too.
> Will let you know about last-column-greedy.

the named pipe should work with any syslog-ng version, csv-parser is
added in 3.0.

-- 
Bazsi