snmptrap() source not reading the last trap of snmptrapd.log file

Question

I did PoC of snmptrap() source of syslog-ng PE 7.0.14 version for my one of the requirement. I found that snmptrap() source did not read the last trap of the SNMPTRAPD agent log file for converting the SNMP Trap into syslog message. 
 It read the lasst trap message when new SNMP Trap message comes. I have tried to use the file() source as an alternative but the output format is very diffrent between snmptrap() source and file() source. 
 Any one faced same kind of issue? If yes then any solution to solve the issue?

sankalp vashistha · Accepted Answer

I got the work around solution from Endre Kalocsai (One Identity). Solution is the changes in snmptrapd.conf file 
 The snmptrapd() source is looking for timestamps at the beginning of the lines, so if you modify the ouptput format of snmptrapd you will have the latest snmptrap always. 
 F ollowing lines in my snmptrapd.conf 
 format2 %.4y-%.2m-%.2l %.2h:%.2j:%.2k %B [%b]:
%v
%.4y-%.2m-%.2l %.2h:%.2j:%.2k
 outputOption s 
 That way you will have similar entries in the snmptrapd.log for every trap like these. 
 2019-08-23 14:18:14 localhost [UDP: [127.0.0.1]:46323->[127.0.0.1]:162]: 
 iso.3.6.1.2.1.1.3.0 = Timeticks: (1883129779) 217 days, 22:54:57.79 iso.3.6.1.6.3.1.1.4.1.0 = OID: iso.3.6.1.6.3.13.1.1.1.1 iso.3.6.1.2.1.1.6.0 = STRING: "SNMPv2 8" 
 2019-08-23 14:18:14 
 
 A line with the real trap and another one only with the timestamp. 
 It makes garbage in the snmptrapd.log, but syslog-ng will read the real trap, because of the next line with the timestamp. 
 Also, the line with the timestamp only will be dropped by the snmptrap parser included in the snmptrapd() source

snmptrap() source not reading the last trap of snmptrapd.log file

Top Replies