• State Verified Answer
  • Replies 3 replies
  • Subscribers 6 subscribers
  • Views 3931 views
  • Users 0 members are here
Options
Related

snmptrap() source not reading the last trap of snmptrapd.log file

sankalp vashistha
over 3 years ago

I did PoC of snmptrap() source of syslog-ng PE 7.0.14 version for my one of the requirement. I found that snmptrap() source did not read the last trap of the SNMPTRAPD agent log file for converting the SNMP Trap into syslog message.

It read the lasst trap message when new SNMP Trap message comes. I have tried to use the file() source as an alternative but the output format is very diffrent between snmptrap() source and file() source.

Any one faced same kind of issue? If yes then any solution to solve the issue?

Parents
  • +1 over 3 years ago

    I got the work around solution from Endre Kalocsai (One Identity). Solution is the changes in snmptrapd.conf file

    The snmptrapd() source is looking for timestamps at the beginning of the lines, so if you modify the ouptput format of snmptrapd you will have the latest snmptrap always.

     Following lines in my snmptrapd.conf

     format2 %.4y-%.2m-%.2l %.2h:%.2j:%.2k %B [%b]:\n%v\n%.4y-%.2m-%.2l %.2h:%.2j:%.2k\n outputOption s

     That way you will have similar entries in the snmptrapd.log for every trap like these.

    2019-08-23 14:18:14 localhost [UDP: [127.0.0.1]:46323->[127.0.0.1]:162]:

    iso.3.6.1.2.1.1.3.0 = Timeticks: (1883129779) 217 days, 22:54:57.79     iso.3.6.1.6.3.1.1.4.1.0 = OID: iso.3.6.1.6.3.13.1.1.1.1 iso.3.6.1.2.1.1.6.0 = STRING: "SNMPv2 8"

    2019-08-23 14:18:14

     A line with the real trap and another one only with the timestamp.

    It makes garbage in the snmptrapd.log, but syslog-ng will read the real trap, because of the next line with the timestamp.

    Also, the line with the timestamp only will be dropped by the snmptrap parser included in the snmptrapd() source

Reply
  • +1 over 3 years ago

    I got the work around solution from Endre Kalocsai (One Identity). Solution is the changes in snmptrapd.conf file

    The snmptrapd() source is looking for timestamps at the beginning of the lines, so if you modify the ouptput format of snmptrapd you will have the latest snmptrap always.

     Following lines in my snmptrapd.conf

     format2 %.4y-%.2m-%.2l %.2h:%.2j:%.2k %B [%b]:\n%v\n%.4y-%.2m-%.2l %.2h:%.2j:%.2k\n outputOption s

     That way you will have similar entries in the snmptrapd.log for every trap like these.

    2019-08-23 14:18:14 localhost [UDP: [127.0.0.1]:46323->[127.0.0.1]:162]:

    iso.3.6.1.2.1.1.3.0 = Timeticks: (1883129779) 217 days, 22:54:57.79     iso.3.6.1.6.3.1.1.4.1.0 = OID: iso.3.6.1.6.3.13.1.1.1.1 iso.3.6.1.2.1.1.6.0 = STRING: "SNMPv2 8"

    2019-08-23 14:18:14

     A line with the real trap and another one only with the timestamp.

    It makes garbage in the snmptrapd.log, but syslog-ng will read the real trap, because of the next line with the timestamp.

    Also, the line with the timestamp only will be dropped by the snmptrap parser included in the snmptrapd() source

Children
No Data