[prev in list] [next in list] [prev in thread] [next in thread]
List: syslog-ng
Subject: Re: [syslog-ng] snmptrapd and HOST macro mapping
From: joël Winteregg <joel.winteregg () gmail ! com>
Date: 2008-11-13 20:57:43
Message-ID: 1226609863.6072.76.camel () hatman
[Download RAW message or body]
Hello,
> > > > Juste to know, does syslog-ng only use relay config statements
> > > > (keep_hostname, etc.) when the log source is defined as udp() or tcp() ?
> > >
> > > no, keep_hostname is always applied. in 3.0, it is even possible to
> > > specify hostname related options on a per-source basis.
> > >
> >
> > Okay, interesting ! You can hardcode (into config file) a given HOST
> > macro value associated to a source config ?
>
> Yes, there are two ways to do this:
> - host-override(): this is a new option, that let's you specify a fixed
> hostname for each source, this effectively overrides the hostname
> parsing routines
> - rewrite rule that changes the HOST value after parsing
>
> The first looks like this:
>
> pipe("/tmp/snmptrapd.pipe" host-override("overridden-host"));
>
> everything coming from this pipe will use "overridden-host" as hostname.
>
> The second one looks like this:
>
> rewrite r_host { set("overridden-host" value("HOST")); };
>
> The rewrite rule can even use macros, like this:
>
> rewrite r_host { set("${HOST}-append" value("HOST")); };
>
> This will append the string '-append' to the hostname.
>
Great ! Thanks for the input !
> >
> > > > I'm asking this, because I'm wondering if I forward my SNMP trap to
> > > > syslogd and then to syslog-ng through udp (@SYSLOG-COLLECTOR defined in
> > > > syslog.conf), syslog-ng will maybe see the SNMP trap as a compliant RFC
> > > > 3164 forwarded message ?
> > >
> > > That wouldn't work. the problem is inherent in the syslog API, it does
> > > not let you change the hostname.
> >
> > Okay, but here, what I wanted to achieve was the following. Log this
> > SNMP message using snmptrapd syslog functionality:
> > "Nov 12 16:57:59 wlc02.mydomain.com Cold Start"
> >
> > The given snmptrapd output message formatting (header): "Nov 12 16:57:59
> > wlc02.mydomain.com" set before every snmptrapd message is here to
> > provide a RFC 3164 compliant message => this should allow syslog-ng to
> > think that "Nov 12 16:57:59 wlc02.mydomain.com Cold Start" is a
> > forwarded syslog message ? If so, this would allow me to fetch
> > "wlc02.mydomain.com" as HOST macro using keep_hostname(on), no ?
> >
>
> you misunderstand the relayed message format. the header is not
> duplicated in case a message is relayed, the format is still the same.
>
Ah, okay ! Yes you're right I totally misunderstood the relayed message
format ;-)
> >
> > > The only way to work around that is to
> > > have snmptrapd to send its output to syslog-ng directly (and format the
> > > message according to the syslog protocol). There are multiple options:
> > >
> > > * pipe: make snmptrapd output go to a pipe, and reference this from
> > > syslog-ng; writing a pipe is about the same as writing a file, so this
> > > would probably work
> >
> > Ahhh, yeah ! That's much easier than my relayed message style ! If, as I
> > did before, I format snmptrad message as follow (to a named pipe), it
> > should work:
> > "Nov 12 16:57:59 wlc02.mydomain.com Cold Start"
>
> yes. you might add a priority field though.
>
Ok ! Will try this !
> >
> > > * program source: in 3.0, I introduced program source, which is
> > > basically a syslog-ng managed program, whose output is parsed as a
> > > syslog message, line by line.
> > >
> >
> > Okay, really interesting too ;-) It reads logs from stdout and stderr of
> > the given program ?
>
> it only fetches the standard output.
>
> >
> > Will try this (named pipe stuff) before the csv-parser option. As I'm
> > also interested into csv-parser option I will invest time to try it too.
> > Will let you know about last-column-greedy.
>
> the named pipe should work with any syslog-ng version, csv-parser is
> added in 3.0.
>
Thanks again for your support !
Joël
______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.campin.net/syslog-ng/faq.html
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic