[plug] syslog-ng

Adam Hewitt ahewitt at theozhewitts.com
Fri Jul 4 10:04:47 WST 2008 

On Fri, Jul 4, 2008 at 8:35 AM, Ryan King <communist.goatherder at gmail.com>
wrote:

>
> On Thu, Jul 3, 2008 at 7:37 PM, Adam Hewitt <ahewitt at theozhewitts.com>
> wrote:
>
>> Ryan King wrote:
>>
>>
>>>
>>> On Thu, Jul 3, 2008 at 6:44 PM, Adam Hewitt <ahewitt at theozhewitts.com<mailto:
>>> ahewitt at theozhewitts.com>> wrote:
>>>
>>>    Hi All,
>>>
>>>    I am trying to get snmptraps passed through to syslog-ng and then
>>>    sent through an interpretor into Nagios. I have snmptrapd logging
>>>    to syslog, and I have added the following lines to syslog-ng.conf:
>>>
>>>    destination d_nagios { file("/tmp/test_file.txt"); };
>>>    filter f_snmptrap { program("snmptrapd"); };
>>>    log { source(s_sys); filter(f_snmptrap); destination(d_nagios); };
>>>
>>>    sending it to the test_file was just to make sure I was actually
>>>    catching the snmptrapd logs which I am not.
>>>
>>>    I have tried a number of variations on the ("snmptrapd") such as
>>>    ("snmptrapd\[.*\]") and none of them work.
>>>
>>>    can anyone see where my logic has gone astray?
>>>
>>>    cheers,
>>>
>>>    Adam.
>>>
>>>
>>>
>>> Hey Adam,
>>>
>>> It's been a while, how's it going ;)
>>>
>>> Can't see anything obviously wrong - but I am wondering about 'snmptrapd'
>>> and if it's actually logging to the source you are using?  Depending on the
>>> version of snmptrapd / dist, you have to specify -Ls for it to use syslog...
>>>   But what does source s_sys look like?
>>>
>>> What about just removing the filter and dumping source s_sys straight to
>>> that temp file - just to make sure the messages are coming through that
>>> source and to double check the program name?
>>>
>>> That's where I'd start anyway.
>>>
>>> Ryan
>>>
>>>
>> Gday Ryan,
>>
>> The s_sys looks like this:
>>
>> source s_sys {
>> unix-stream("/dev/log");
>> udp();
>> tcp(ip(0.0.0.0) port(5000) max-connections(300));
>> internal();
>> };
>>
>> I do have -L in the snmptrapd command and it is definitely logging to
>> syslog. If I comment out all the other log lines in the syslog-ng.conf file
>> I get nothing being logged including the snmptrapd entries, which means that
>> it is just my entry that is not matching correctly. I also changed the
>> filter to program(.*) and that seemed to pick it all up as well, so it is
>> definitely something with my filter.
>>
>> (sorry I should have been more specific with my previous email, but I was
>> typing it with a screaming baby bouncing on my lap :/ )
>>
>> Cheers again.
>>
>>
> Maybe snmptrapd is logging with a different program name (caps?  missing?)
> or just doing something weird.  For another test (to see if snmptrapd is
> behaving), try changing the facility it logs to.  ie:  "snmptrapd -Ls
> local1" and change:
>
> filter f_snmptrap { program("snmptrapd"); };
>
> to
>
> filter f_snmptrap { facility(local1); };
>
>
> Can you paste an example line from your log that shows a snmptrapd message?
>
> Ryan
>
>
>
Well I figured it out *sigh*

It turns out that the "/etc/init.d/syslog-ng restart" wasn't actually
restarting. You would think I would have learned not to rely on that by now,
but there you go.

Changing the facility to program("snmptrapd.*") ended up working as expected
once I really did a restart.

Thanks for all your help.

Adam.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.plug.org.au/pipermail/plug/attachments/20080704/bb15bda1/attachment.html>

More information about the plug mailing list