[syslog-ng] Customizing syslog-ng snmp() destination option

Gabor Nagy (gnagy) Gabor.Nagy at oneidentity.com
Wed Mar 23 10:14:43 UTC 2022


I don't think adding a custom field to an SNMPv2 trap is possible, but I could be wrong as I'm not an expert in SNMP.
I didn't find anything either in the net-snmp library or in the RFCs of SNMPv2.

Your option as far as I see is to send the agent-addr in the varbindlist, as SNMPv1 is not sufficient and it is not supported either in syslog-ng.
Nevertheless, I don't know your use case, maybe we can find out a different workaround.

Regards,
Gabor
________________________________
From: Maurya, Shivani <shivani.maurya at intel.com>
Sent: Wednesday, March 23, 2022 7:38
To: Gabor Nagy (gnagy) <Gabor.Nagy at oneidentity.com>
Cc: wernli at in2p3.fr <wernli at in2p3.fr>; Syslog-ng users' and developers' mailing list <syslog-ng at lists.balabit.hu>
Subject: RE: [syslog-ng] Customizing syslog-ng snmp() destination option

CAUTION: This email originated from outside of the organization. Do not follow guidance, click links, or open attachments unless you recognize the sender and know the content is safe.


Hi Gabor,



Can you please help here?



Regards,

Shivani Maurya



From: Maurya, Shivani
Sent: Tuesday, March 22, 2022 10:27 PM
To: Gabor Nagy (gnagy) <Gabor.Nagy at oneidentity.com>; wernli at in2p3.fr; Syslog-ng users' and developers' mailing list <syslog-ng at lists.balabit.hu>
Subject: RE: [syslog-ng] Customizing syslog-ng snmp() destination option



Hi Gabor,



We want to use snmpv2v/snmpv3 only going forward. This is the reason I want to add the field “agent-addr”. Is there a way to add “agent-addr” field with snmpv2c/snmpv3 ?



Regards,

Shivani Maurya



From: Gabor Nagy (gnagy) <Gabor.Nagy at oneidentity.com<mailto:Gabor.Nagy at oneidentity.com>>
Sent: Tuesday, March 22, 2022 8:48 PM
To: Maurya, Shivani <shivani.maurya at intel.com<mailto:shivani.maurya at intel.com>>; wernli at in2p3.fr<mailto:wernli at in2p3.fr>; Syslog-ng users' and developers' mailing list <syslog-ng at lists.balabit.hu<mailto:syslog-ng at lists.balabit.hu>>
Subject: Re: [syslog-ng] Customizing syslog-ng snmp() destination option



Thanks Shivani for the example!

I didn't know "agent-addr" is a standardized SNMPv1 trap element.
I've found it in the SNMPv1 RFC too. [1]



Unfortunately, syslog-ng only supports snmpv2c and snmpv3 versions.

I've checked the code of snmp-dest() and I think it would be _relatively_ easy to add snmpv1 support.

I can open a feature request on GitHub, as I'm not sure when we could get to this in the near future, or is there any reason against SNMPv1.

Regards,

Gabor





[1] https://datatracker.ietf.org/doc/html/rfc1157/#section-4.1.6<https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fhtml%2Frfc1157%2F%23section-4.1.6&data=04%7C01%7CGabor.Nagy%40oneidentity.com%7C574fb68ee07141f2da1308da0c97ba6d%7C91c369b51c9e439c989c1867ec606603%7C0%7C1%7C637836143070345948%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=sxX1x%2BMG02oLeVAtBBPjpcMYkXbAzHRvWEvfoh9KQ%2FI%3D&reserved=0>

________________________________

From: syslog-ng <syslog-ng-bounces at lists.balabit.hu<mailto:syslog-ng-bounces at lists.balabit.hu>> on behalf of Fabien Wernli <wernli at in2p3.fr<mailto:wernli at in2p3.fr>>
Sent: Tuesday, March 22, 2022 8:12
To: Maurya, Shivani <shivani.maurya at intel.com<mailto:shivani.maurya at intel.com>>
Cc: Syslog-ng users' and developers' mailing list <syslog-ng at lists.balabit.hu<mailto:syslog-ng at lists.balabit.hu>>
Subject: Re: [syslog-ng] Customizing syslog-ng snmp() destination option



CAUTION: This email originated from outside of the organization. Do not follow guidance, click links, or open attachments unless you recognize the sender and know the content is safe.


Hi again,

On Tue, Mar 22, 2022 at 06:09:32AM +0000, Maurya, Shivani wrote:
> But this is how I want an extra field to be added in trap itself before the variable-binding -
>
> [cid:image002.png at 01D83DE1.7C82C330]

As I said, I think you can achieve this using `snmp-obj()`.
Try the following:

    snmp-obj('.1.3.6.1.6.3.18.1.3.0', 'Ipaddress', "${SOURCEIP}")

______________________________________________________________________________
Member info: https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.balabit.hu%2Fmailman%2Flistinfo%2Fsyslog-ng&data=04%7C01%7Cgabor.nagy%40oneidentity.com%7C1341f1fe92104de79ae708da0bd35bee%7C91c369b51c9e439c989c1867ec606603%7C0%7C1%7C637835299655341547%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=mJAT2oTdxOtlg%2FviRHWvJfDuGCGeAPABN%2BCqDmuFA9Q%3D&reserved=0<https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.balabit.hu%2Fmailman%2Flistinfo%2Fsyslog-ng&data=04%7C01%7CGabor.Nagy%40oneidentity.com%7C574fb68ee07141f2da1308da0c97ba6d%7C91c369b51c9e439c989c1867ec606603%7C0%7C1%7C637836143070345948%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=5A6zt%2FyDfaKksjYe%2FAXv2PR8zrYwJZETZ91gPvPduLw%3D&reserved=0>
Documentation: https://nam12.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fsupport%2Fdocumentation%2F%3Fproduct%3Dsyslog-ng&data=04%7C01%7Cgabor.nagy%40oneidentity.com%7C1341f1fe92104de79ae708da0bd35bee%7C91c369b51c9e439c989c1867ec606603%7C0%7C1%7C637835299655341547%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=Nojx51D6YkOswnnLzog1ykOV3D39L8cv%2B4NLIRm%2BkNU%3D&reserved=0<https://nam12.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fsupport%2Fdocumentation%2F%3Fproduct%3Dsyslog-ng&data=04%7C01%7CGabor.Nagy%40oneidentity.com%7C574fb68ee07141f2da1308da0c97ba6d%7C91c369b51c9e439c989c1867ec606603%7C0%7C1%7C637836143070502180%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=LEKiL8bNZSlGnO5n2wpW6EhCNPxhs3GOigyif8Pe%2Be8%3D&reserved=0>
FAQ: https://nam12.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fwiki%2Fsyslog-ng-faq&data=04%7C01%7Cgabor.nagy%40oneidentity.com%7C1341f1fe92104de79ae708da0bd35bee%7C91c369b51c9e439c989c1867ec606603%7C0%7C1%7C637835299655341547%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=u3FuE5V2S8%2BCWe2k6AupGSQ%2F6gX3j4SMvMDTchwJuOM%3D&reserved=0<https://nam12.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fwiki%2Fsyslog-ng-faq&data=04%7C01%7CGabor.Nagy%40oneidentity.com%7C574fb68ee07141f2da1308da0c97ba6d%7C91c369b51c9e439c989c1867ec606603%7C0%7C1%7C637836143070502180%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=F6NcWFgmoWvUaLYcRMfmw%2Bkd3PEbWJhdkjNeF%2FQrV9I%3D&reserved=0>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20220323/770b6eee/attachment.htm>


More information about the syslog-ng mailing list