[syslog-ng] snmptrap handler parses SNMP traps correctly, but the file it reads from is not emptying
Scheidler, Balázs
balazs.scheidler at oneidentity.com
Mon May 20 15:54:41 UTC 2019
Just set up logrotate on that file, syslog-ng will read till the end and
start the new one if the rotation happens.
So instead of truncating, rename it to a new name, and let snmptrapd write
to a new file.
On Mon, May 20, 2019, 15:55 Allen Pouratian <Allen.Pouratian at alticeusa.com>
wrote:
> Hello –
>
>
>
> I set up snmptrapd to write to */var/log/snmptrapd.log* and syslog-ng is
> configured to read from it like this …
>
>
>
> *source { *
>
> *snmptrap(filename("/var/log/snmptrapd.log")); *
>
> *};*
>
>
>
> … but */var/log/snmptrapd.log* is not getting emptied, so it needs to be
> truncated every so often to avoid filling up the filesystem.
>
>
>
> But the problem with truncating */var/log/snmptrapd.log* is that we’re
> going to lose traps, since we get a lot of them.
>
>
>
> When I was testing this syslog-ng snmptrap facility with a few traps a
> minute, I saw */var/log/snmptrapd.log* empty, but with hundreds of traps
> incoming per second, it does not empty any more.
>
>
>
> I have what looks like a work-around to the syslog-ng snmptrap
> handler/parser where …
>
>
>
> 1. 1) Snmptrapd 5.7.3 writes to syslog with -Lsd
> 2. 2) Syslog-ng 3.20 reads from syslog with system-journal()
> 3. 3) Rewrite the trap $MESSAGE with a series of “substitutions”
> (subst) into space separated key=value pairs
> 4. 4) point kv-parser() at $MESSAGE and specify “ “ as a separator
> 5. 5) delete the original $MESSAGE block
>
>
>
> … but perhaps I didn’t have to do that, since perhaps I’m mis-using the
> snmptrap facility built into syslog-ng, and thus causing
> */var/log/snmptrapd.log* to not empty.
>
>
>
> Your comments and insights would be appreciated.
>
>
>
> - Allen
>
>
>
>
> --------------------------------------------------------
> The information transmitted in this email and any of its attachments is
> intended only for the person or entity to which it is addressed and may
> contain information concerning Altice USA and/or its affiliates and
> subsidiaries that is proprietary, privileged, confidential and/or subject
> to copyright. Any review, retransmission, dissemination or other use of, or
> taking of any action in reliance upon, this information by persons or
> entities other than the intended recipient(s) is prohibited and may be
> unlawful. If you received this in error, please contact the sender
> immediately and delete and destroy the communication and all of the
> attachments you have received and all copies thereof.
> --------------------------------------------------------
>
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20190520/3fc135e4/attachment.html>
More information about the syslog-ng
mailing list