[syslog-ng] snmptrapd and HOST macro mapping

Thu Nov 13 21:57:43 CET 2008

Hello,

> > > > Juste to know, does syslog-ng only use relay config statements
> > > > (keep_hostname, etc.) when the log source is defined as udp() or tcp() ?
> > > 
> > > no, keep_hostname is always applied. in 3.0, it is even possible to
> > > specify hostname related options on a per-source basis.
> > > 
> > 
> > Okay, interesting ! You can hardcode (into config file) a given HOST
> > macro value associated to a source config ?
> 
> Yes, there are two ways to do this:
>  - host-override(): this is a new option, that let's you specify a fixed
> hostname for each source, this effectively overrides the hostname
> parsing routines
>  - rewrite rule that changes the HOST value after parsing
> 
> The first looks like this:
> 
> pipe("/tmp/snmptrapd.pipe" host-override("overridden-host"));
> 
> everything coming from this pipe will use "overridden-host" as hostname.
> 
> The second one looks like this:
> 
> rewrite r_host { set("overridden-host" value("HOST")); };
> 
> The rewrite rule can even use macros, like this:
> 
> rewrite r_host { set("${HOST}-append" value("HOST")); };
> 
> This will append the string '-append' to the hostname.
> 

Great ! Thanks for the input !

> > 
> > > > I'm asking this, because I'm wondering if I forward my SNMP trap to
> > > > syslogd and then to syslog-ng through udp (@SYSLOG-COLLECTOR defined in
> > > > syslog.conf), syslog-ng will maybe see the SNMP trap as a compliant RFC
> > > > 3164 forwarded message ?
> > > 
> > > That wouldn't work. the problem is inherent in the syslog API, it does
> > > not let you change the hostname.
> > 
> > Okay, but here, what I wanted to achieve was the following. Log this
> > SNMP message using snmptrapd syslog functionality: 
> > "Nov 12 16:57:59 wlc02.mydomain.com Cold Start"
> > 
> > The given snmptrapd output message formatting (header): "Nov 12 16:57:59
> > wlc02.mydomain.com" set before every snmptrapd message is here to
> > provide a RFC 3164 compliant message => this should allow syslog-ng to
> > think that "Nov 12 16:57:59 wlc02.mydomain.com Cold Start" is a
> > forwarded syslog message ? If so, this would allow me to fetch
> > "wlc02.mydomain.com" as HOST macro using keep_hostname(on), no ?
> > 
> 
> you misunderstand the relayed message format. the header is not
> duplicated in case a message is relayed, the format is still the same.
> 

Ah, okay ! Yes you're right I totally misunderstood the relayed message
format ;-)

> > 
> > >  The only way to work around that is to
> > > have snmptrapd to send its output to syslog-ng directly (and format the
> > > message according to the syslog protocol). There are multiple options:
> > > 
> > >   * pipe: make snmptrapd output go to a pipe, and reference this from
> > > syslog-ng; writing a pipe is about the same as writing a file, so this
> > > would probably work
> > 
> > Ahhh, yeah ! That's much easier than my relayed message style ! If, as I
> > did before, I format snmptrad message as follow (to a named pipe), it
> > should work:
> > "Nov 12 16:57:59 wlc02.mydomain.com Cold Start"
> 
> yes. you might add a priority field though.
> 

Ok ! Will try this !

> > 
> > >   * program source: in 3.0, I introduced program source, which is
> > > basically a syslog-ng managed program, whose output is parsed as a
> > > syslog message, line by line.
> > > 
> > 
> > Okay, really interesting too ;-) It reads logs from stdout and stderr of
> > the given program ?
> 
> it only fetches the standard output.
> 
> > 
> > Will try this (named pipe stuff) before the csv-parser option. As I'm
> > also interested into csv-parser option I will invest time to try it too.
> > Will let you know about last-column-greedy.
> 
> the named pipe should work with any syslog-ng version, csv-parser is
> added in 3.0.
> 

Thanks again for your support !

Joël