snmptrap() source not reading the last trap of snmptrapd.log file

I did PoC of snmptrap() source of syslog-ng PE 7.0.14 version for my one of the requirement. I found that snmptrap() source did not read the last trap of the SNMPTRAPD agent log file for converting the SNMP Trap into syslog message.

It read the lasst trap message when new SNMP Trap message comes. I have tried to use the file() source as an alternative but the output format is very diffrent between snmptrap() source and file() source.

Any one faced same kind of issue? If yes then any solution to solve the issue?

  • Good morning Sankalp,

    While I personally have not encountered this issue I am going to dive into this and see what I can find. In the meantime I would definitely recommend putting in a Service Request with our Support Team as we will be able to focus more resources into this and hopefully find some concrete answers.

    Regardless, we will update this post with our findings shortly.

  • I got the work around solution from Endre Kalocsai (One Identity). Solution is the changes in snmptrapd.conf file

    The snmptrapd() source is looking for timestamps at the beginning of the lines, so if you modify the ouptput format of snmptrapd you will have the latest snmptrap always.

     Following lines in my snmptrapd.conf

     format2 %.4y-%.2m-%.2l %.2h:%.2j:%.2k %B [%b]:\n%v\n%.4y-%.2m-%.2l %.2h:%.2j:%.2k\n outputOption s

     That way you will have similar entries in the snmptrapd.log for every trap like these.

    2019-08-23 14:18:14 localhost [UDP: [127.0.0.1]:46323->[127.0.0.1]:162]:

    iso.3.6.1.2.1.1.3.0 = Timeticks: (1883129779) 217 days, 22:54:57.79     iso.3.6.1.6.3.1.1.4.1.0 = OID: iso.3.6.1.6.3.13.1.1.1.1 iso.3.6.1.2.1.1.6.0 = STRING: "SNMPv2 8"

    2019-08-23 14:18:14

     A line with the real trap and another one only with the timestamp.

    It makes garbage in the snmptrapd.log, but syslog-ng will read the real trap, because of the next line with the timestamp.

    Also, the line with the timestamp only will be dropped by the snmptrap parser included in the snmptrapd() source