[plug] syslog-ng

Ryan King communist.goatherder at gmail.com
Fri Jul 4 08:35:02 WST 2008 

On Thu, Jul 3, 2008 at 7:37 PM, Adam Hewitt <ahewitt at theozhewitts.com>
wrote:

> Ryan King wrote:
>
>
>>
>> On Thu, Jul 3, 2008 at 6:44 PM, Adam Hewitt <ahewitt at theozhewitts.com<mailto:
>> ahewitt at theozhewitts.com>> wrote:
>>
>>    Hi All,
>>
>>    I am trying to get snmptraps passed through to syslog-ng and then
>>    sent through an interpretor into Nagios. I have snmptrapd logging
>>    to syslog, and I have added the following lines to syslog-ng.conf:
>>
>>    destination d_nagios { file("/tmp/test_file.txt"); };
>>    filter f_snmptrap { program("snmptrapd"); };
>>    log { source(s_sys); filter(f_snmptrap); destination(d_nagios); };
>>
>>    sending it to the test_file was just to make sure I was actually
>>    catching the snmptrapd logs which I am not.
>>
>>    I have tried a number of variations on the ("snmptrapd") such as
>>    ("snmptrapd\[.*\]") and none of them work.
>>
>>    can anyone see where my logic has gone astray?
>>
>>    cheers,
>>
>>    Adam.
>>
>>
>>
>> Hey Adam,
>>
>> It's been a while, how's it going ;)
>>
>> Can't see anything obviously wrong - but I am wondering about 'snmptrapd'
>> and if it's actually logging to the source you are using?  Depending on the
>> version of snmptrapd / dist, you have to specify -Ls for it to use syslog...
>>   But what does source s_sys look like?
>>
>> What about just removing the filter and dumping source s_sys straight to
>> that temp file - just to make sure the messages are coming through that
>> source and to double check the program name?
>>
>> That's where I'd start anyway.
>>
>> Ryan
>>
>>
> Gday Ryan,
>
> The s_sys looks like this:
>
> source s_sys {
> unix-stream("/dev/log");
> udp();
> tcp(ip(0.0.0.0) port(5000) max-connections(300));
> internal();
> };
>
> I do have -L in the snmptrapd command and it is definitely logging to
> syslog. If I comment out all the other log lines in the syslog-ng.conf file
> I get nothing being logged including the snmptrapd entries, which means that
> it is just my entry that is not matching correctly. I also changed the
> filter to program(.*) and that seemed to pick it all up as well, so it is
> definitely something with my filter.
>
> (sorry I should have been more specific with my previous email, but I was
> typing it with a screaming baby bouncing on my lap :/ )
>
> Cheers again.
>
>
Maybe snmptrapd is logging with a different program name (caps?  missing?)
or just doing something weird.  For another test (to see if snmptrapd is
behaving), try changing the facility it logs to.  ie:  "snmptrapd -Ls
local1" and change:

filter f_snmptrap { program("snmptrapd"); };

to

filter f_snmptrap { facility(local1); };


Can you paste an example line from your log that shows a snmptrapd message?

Ryan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.plug.org.au/pipermail/plug/attachments/20080704/5e181401/attachment.html>

More information about the plug mailing list