[syslog-ng] snmptrapd to syslog-ng 3.1

Balint Kovacs balint.kovacs at balabit.com
Thu Aug 18 09:34:59 CEST 2011 

Hi Dan,

when I do something like this, I usually take a different approach, I 
use a script called from snmptrapd to write the log message to a socket. 
If you use something different than /dev/log (e.g. /dev/log.snmp), it's 
also easier to filter on the message. I am not sure if SEC has 
pre-defined rules for traps, but if not, this is probably easier to 
handle of you are not using a LOT of traps. If it's just port-security 
violations and link up/down messages on a moderately sized network, it 
should work fine.

So in my setup this usually looks like:

/etc/snmp/snmp.conf

mibdirs +/usr/share/snmp/mibs/:/etc/snmp/mibs/
mibs  +ALL
mibwarninglevel  1
logtimestamp  yes
printnumericenums  no
printnumericoids  no
suffixprinting  0


/etc/snmp/snmptrapd.conf

# syslog-ng configuration
doNotRetainNotificationLogs yes
doNotLogTraps yes
snmpTrapdAddr 0.0.0.0:162
authCommunity execute public
logOption s 10
outputOption Q
traphandle default /usr/local/bin/traptosyslog


/usr/local/bin/traptosyslog

#!/usr/bin/python

import sys, time, socket

t = time.strftime('%Y-%m-%dT%H:%M:%S')
hostname = None
ipaddress = None
trap = None
oids = []

for line in sys.stdin:
     if not hostname:
         hostname = line.strip()
     elif not ipaddress:
         ipaddress = line.strip()
     else:
         (n, v) = line.split('=', 1)
         if n.strip() == "SNMPv2-MIB::snmpTrapOID.0":
             (base, real) = v.strip().split('::', 1)
             trap = real
         else:
             if n.find('::') > 0:
                 (base, real) = n.strip().split('::', 1)
                 oids.append("%s='%s'" % (real, v.strip('\'"\n ')))
             else:
                 oids.append("%s='%s'" % (n.strip(), v.strip('\'"\n ')))

oids.reverse()

if hostname == "<UNKNOWN>":
     b = ipaddress.find('[')
     e = ipaddress.find(']')
     if e > 0 and b > 0:
         hostname = ipaddress[b+1:e]
     else:
         hostname = ipaddress

sock = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM)
sock.connect("/dev/log.snmp")
sock.sendall("%s %s snmptrap: %s; %s" % (t, hostname, trap, ', 
'.join(oids)))
sock.close()


/etc/syslog-ng/syslog-ng.conf

[...]

source snmp
   {
      unix-stream(
         "/dev/log.snmp"
         keep_timestamp(yes)
         keep_hostname(yes)
      );
   };

[...]

This way the hostname and timestamp are preserved, the SNMP trap is 
nicely collapsed to a single line and formatted according to the 
matching MIB definition. All MIBs are loaded from /etc/snmp/mibs and if 
you need to add one more, just drop it into that folder and reload 
snmptrapd.

Balint


On 08/17/2011 11:17 PM, Smart, Dan wrote:
>
> My interest is in network device syslog and traps.
>
> I'm trying to receive traps, and then process them in Simple Event 
> Correlator (SEC).  I've got SEC working fine with standard remote syslog.
>
> After reading everything I could find, I found a discussion from 2008 
> about losing the source hostname when sending the trap to syslog.
>
> I'm trying the source program method, and eliminating multi-line traps.
>
> As I understand that syslog-ng is looking for Standard Out from the 
> program, I specified --f  in snmptrapd to stop forking, and --Lo to 
> send output to standard output.  I'm getting nothing in  my d_debug 
> file.  Any suggestions?
>
> There is also a web page with a filter and rewrite recipe for traps.  
> Not sure why I need this if I am sending the trap directly to SEC.
>
> See https://lists.balabit.hu/pipermail/syslog-ng/2008-November/012200.html
>
> And http://bazsi.blogs.balabit.com/2008/11/syslog-ng-3-0-and-snmp-traps/
>
> -=Dan=-
>
> ========= syslog-ng.conf =================
>
> #
> options {
>         long__hostnames_(off);
>         use__dns_(yes);
>         use__fqdn_(no);
>         keep__hostname_(yes);
>         owner("root");
>         group("_adm_");
>         perm(0640);
>         stats__freq_(0);
>         bad__hostname_("^_gconfd_$");
>         ts_format(_iso_);
>         flush_lines(100);
>         log_fetch_limit(100);
>         log__fifo__size(2048);
> _dir__perm(0755);
> };
>
> source s_program {
>
> program("/_usr_/_sbin_/_snmptrapd_ -a -f -Lo 
> --_disableAuthorization_=yes", flags(no-_multi_-line));
>
> };
>
> destination d_debug {
>    file("/var/log/_syslog_-_ng_-debug"
>    owner(root) group(root) perm(0600) _dir__perm(0700) 
> create__dirs_(yes));
> };
>
> destination d__sec_ {
>         program("/_usr_/local/bin/_sec_ -input=\"-\" 
> -_conf_=/_usr_/local/_etc_/_sec_._conf_"
>         flags(no-_multi_-line) );
> };
>
> log {
>
>         source(s_program);
>
>         destination(d_sec); destination(d_debug);
>
>         flags(flow-control);
>
> };
>
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20110818/3df07283/attachment.htm

More information about the syslog-ng mailing list