[syslog-ng] snmptrapd to syslog-ng 3.1
Smart, Dan
SmartD at VMCMAIL.com
Wed Aug 17 23:17:09 CEST 2011
My interest is in network device syslog and traps.
I'm trying to receive traps, and then process them in Simple Event Correlator (SEC). I've got SEC working fine with standard remote syslog.
After reading everything I could find, I found a discussion from 2008 about losing the source hostname when sending the trap to syslog.
I'm trying the source program method, and eliminating multi-line traps.
As I understand that syslog-ng is looking for Standard Out from the program, I specified -f in snmptrapd to stop forking, and -Lo to send output to standard output. I'm getting nothing in my d_debug file. Any suggestions?
There is also a web page with a filter and rewrite recipe for traps. Not sure why I need this if I am sending the trap directly to SEC.
See https://lists.balabit.hu/pipermail/syslog-ng/2008-November/012200.html
And http://bazsi.blogs.balabit.com/2008/11/syslog-ng-3-0-and-snmp-traps/
-=Dan=-
========= syslog-ng.conf =================
#
options {
long_hostnames(off);
use_dns(yes);
use_fqdn(no);
keep_hostname(yes);
owner("root");
group("adm");
perm(0640);
stats_freq(0);
bad_hostname("^gconfd$");
ts_format(iso);
flush_lines(100);
log_fetch_limit(100);
log_fifo_size(2048);
dir_perm(0755);
};
source s_program {
program("/usr/sbin/snmptrapd -a -f -Lo --disableAuthorization=yes", flags(no-multi-line));
};
destination d_debug {
file("/var/log/syslog-ng-debug"
owner(root) group(root) perm(0600) dir_perm(0700) create_dirs(yes));
};
destination d_sec {
program("/usr/local/bin/sec -input=\"-\" -conf=/usr/local/etc/sec.conf"
flags(no-multi-line) );
};
log {
source(s_program);
destination(d_sec); destination(d_debug);
flags(flow-control);
};
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20110817/73594df6/attachment-0001.htm
More information about the syslog-ng
mailing list