[plug] syslog-ng

Thu Jul 3 18:37:49 WST 2008

Ryan King wrote:
>
>
> On Thu, Jul 3, 2008 at 6:44 PM, Adam Hewitt <ahewitt at theozhewitts.com 
> <mailto:ahewitt at theozhewitts.com>> wrote:
>
>     Hi All,
>
>     I am trying to get snmptraps passed through to syslog-ng and then
>     sent through an interpretor into Nagios. I have snmptrapd logging
>     to syslog, and I have added the following lines to syslog-ng.conf:
>
>     destination d_nagios { file("/tmp/test_file.txt"); };
>     filter f_snmptrap { program("snmptrapd"); };
>     log { source(s_sys); filter(f_snmptrap); destination(d_nagios); };
>
>     sending it to the test_file was just to make sure I was actually
>     catching the snmptrapd logs which I am not.
>
>     I have tried a number of variations on the ("snmptrapd") such as
>     ("snmptrapd\[.*\]") and none of them work.
>
>     can anyone see where my logic has gone astray?
>
>     cheers,
>
>     Adam.
>
>
>
> Hey Adam,
>
> It's been a while, how's it going ;)
>
> Can't see anything obviously wrong - but I am wondering about 
> 'snmptrapd' and if it's actually logging to the source you are using?  
> Depending on the version of snmptrapd / dist, you have to specify -Ls 
> for it to use syslog...   But what does source s_sys look like?
>
> What about just removing the filter and dumping source s_sys straight 
> to that temp file - just to make sure the messages are coming through 
> that source and to double check the program name?
>
> That's where I'd start anyway.
>
> Ryan
>

Gday Ryan,

The s_sys looks like this:

source s_sys {
unix-stream("/dev/log");
udp();
tcp(ip(0.0.0.0) port(5000) max-connections(300));
internal();
};

I do have -L in the snmptrapd command and it is definitely logging to 
syslog. If I comment out all the other log lines in the syslog-ng.conf 
file I get nothing being logged including the snmptrapd entries, which 
means that it is just my entry that is not matching correctly. I also 
changed the filter to program(.*) and that seemed to pick it all up as 
well, so it is definitely something with my filter.

(sorry I should have been more specific with my previous email, but I 
was typing it with a screaming baby bouncing on my lap :/ )

Cheers again.

Adam.