[syslog-ng] snmptrap handler parses SNMP traps correctly, but the file it reads from is not emptying

Allen Pouratian Allen.Pouratian at AlticeUSA.com
Mon May 20 13:55:23 UTC 2019


Hello -

I set up snmptrapd to write to /var/log/snmptrapd.log and syslog-ng is configured to read from it like this ...

source {
snmptrap(filename("/var/log/snmptrapd.log"));
};

... but /var/log/snmptrapd.log is not getting emptied, so it needs to be truncated every so often to avoid filling up the filesystem.

But the problem with truncating /var/log/snmptrapd.log is that we're going to lose traps, since we get a lot of them.

When I was testing this syslog-ng snmptrap facility with a few traps a minute, I saw /var/log/snmptrapd.log empty, but with hundreds of traps incoming per second, it does not empty any more.

I have what looks like a work-around to the syslog-ng snmptrap handler/parser where ...


  1.  1) Snmptrapd 5.7.3 writes to syslog with -Lsd
  2.  2) Syslog-ng 3.20 reads from syslog with system-journal()
  3.  3) Rewrite the trap $MESSAGE with a series of "substitutions" (subst) into space separated key=value pairs
  4.  4) point kv-parser() at $MESSAGE and specify " " as a separator
  5.  5) delete the original $MESSAGE block

... but perhaps I didn't have to do that, since perhaps I'm mis-using the snmptrap facility built into syslog-ng, and thus causing /var/log/snmptrapd.log to not empty.

Your comments and insights would be appreciated.

- Allen



--------------------------------------------------------
The information transmitted in this email and any of its attachments is intended only for the person or entity to which it is addressed and may contain information concerning Altice USA and/or its affiliates and subsidiaries that is proprietary, privileged, confidential and/or subject to copyright. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient(s) is prohibited and may be unlawful. If you received this in error, please contact the sender immediately and delete and destroy the communication and all of the attachments you have received and all copies thereof.
--------------------------------------------------------

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20190520/618a03a0/attachment-0001.html>


More information about the syslog-ng mailing list