[syslog-ng] Need help with filtering messages - new user with syslog-ng

Balazs Scheidler bazsi at balabit.hu
Mon Aug 29 11:38:32 CEST 2011 

On Mon, 2011-08-29 at 12:12 +0300, Cosmin Neagu wrote:
> Hello,
> First of all, i started to use syslog-ng on Ubuntu a few days ago and
> it seams a great syslog server.
> 
> But today i stumble on a problem.
> 
> 
> I configured snmptrapd with TRAPDOPTS='-Lsd ' and this means that
> snmptrapd will send the trap received to syslog-ng.
> Now, syslog-ng puts those traps by default in /var/log/syslog because
> of this default configurations:
> 
> source s_src { unix-dgram("/dev/log"); internal();
>              file("/proc/kmsg" program_override("kernel"));
> destination d_syslog { file("/var/log/syslog"); };
> filter f_syslog3 { not facility(auth, authpriv, mail) and not
> filter(f_debug); };
> log { source(s_src); filter(f_syslog3); destination(d_syslog); };
> 
> What i want to acomplish is to have traps from diferent host put in
> diferent files, not all together in the same file like it happens now.
> At first i tried to filter based on the host's ip address that was
> sending the trap, but i realized that the snmptrapd process is the one
> that sends the trap to syslog-ng process, not the device directly:
> 
> Aug 29 11:42:48 Dell snmptrapd[3801]: 2011-08-29 11:42:43 10.90.0.252
> [UDP: [10.90.0.252]:49364->[192.168.53.151]]:
> iso.3.6.1.2.1.1.3.0 = Timeticks: (1563318974) 180 days,
> 22:33:09.74    
> iso.3.6.1.6.3.1.1.4.1.0 = OID: iso.3.6.1.4.1.9.9.41.2.0.1    
> iso.3.6.1.4.1.9.9.41.1.2.3.1.2.31 = STRING: "LINK"    
> iso.3.6.1.4.1.9.9.41.1.2.3.1.3.31 = INTEGER: 4    
> iso.3.6.1.4.1.9.9.41.1.2.3.1.4.31 = STRING: "UPDOWN"    
> iso.3.6.1.4.1.9.9.41.1.2.3.1.5.31 = STRING: "Interface Serial0/0/0,
> changed state to down"    
> iso.3.6.1.4.1.9.9.41.1.2.3.1.6.31 = Timeticks: (1563318974) 180 days,
> 22:33:09.74
> 
> 
> 
> So maibe you have done this - how can i filter based on the program
> that it sending the message (like snmptrapd). And also, can filters
> based on the text itself can be used? Like:
> - if the mesage contains "10.90.0.252 [UDP:
> [10.90.0.252]:XXXXX->[192.168.53.151]" put the mesage in "this" file 
> - if the mesage contains "10.90.1.22 [UDP:
> [10.90.1.22]:XXXXX->[192.168.53.151]" put the mesage in "that" file
> Thanks

You can use the message() filter function to sort messages based on the
message content. 

However it'd be best to tell snmptrapd to use a format that syslog-ng
can properly parse. As it seems the message payload is almost like a
syslog header, isn't it possible to tell snmptrapd to format a proper
syslog header and use the name of the sender host as the $HOST portion
of the syslog message?

Any snmptrapd users here?

-- 
Bazsi

More information about the syslog-ng mailing list