Last time I've written about how syslog-ng is able to change message contents. I thought it'd be useful to give you a more practical example, instead of a generic description.
It is quite common to convert SNMP traps to syslog messages. The easiest implementation is to run snmptrapd and have it create a log message based on the trap. There's a small issue though: snmptrapd uses the UNIX syslog() API, and as such it is not able to propagate the originating host of the SNMP trap to the hostname portion of the syslog message. This means that all traps are logged as messages coming from the host running snmptrapd, and the hostname information is part of the message payload.
Of course it'd be much easier to process syslog messages, if this were not the case.
A solution would be to patch snmptrapd to send complete syslog frames, but that would require changing snmptrapd source. The alternative is to use the new parse and rewrite features of syslog-ng 3.0.
First, you need to filter snmptrapd messages:
filter f_snmptrapd { program("snmptrapd"); };
Then we'd need to grab the first field of the message payload, where snmptrapd is configured to put it:
rewrite r_snmptrapd {
subst("^([^ ]+) (.*)$ ", "${2}");
set("${1}" value("HOST"));
};
Both rewrite expression kinds are demonstrated here:
Please NOTE that the new value is a template which makes it possible to use macros such as $HOST or $MESSAGE defined by syslog-ng.
Now let's wire the complete configuration together:
filter f_snmptrapd { program("snmptrapd"); };
rewrite r_snmptrapd {
subst("^([^ ]+) (.*)$ ", "${2}");
set("${1}" value("HOST"));
};
log {
source(s_all);
filter(f_snmptrapd);
rewrite(r_snmptrapd);
destination(d_all);
flags(final);
};
log {
source(s_all);
destination(d_all);
flags(final);
};
Of course this is only an example of the power of what syslog-ng is now capable of doing. Please let me know if you can think of other uses.
The current 3.0 branch of syslog-ng has not been released yet, it is available in the git repository at git.balabit.hu, and also as nightly snapshots.
I'd be grateful for any kind of feedback you might have, please post it either as comments on this blog, or to the mailing list.
It is quite common to convert SNMP traps to syslog messages. The easiest implementation is to run snmptrapd and have it create a log message based on the trap. There's a small issue though: snmptrapd uses the UNIX syslog() API, and as such it is not able to propagate the originating host of the SNMP trap to the hostname portion of the syslog message. This means that all traps are logged as messages coming from the host running snmptrapd, and the hostname information is part of the message payload.
Of course it'd be much easier to process syslog messages, if this were not the case.
A solution would be to patch snmptrapd to send complete syslog frames, but that would require changing snmptrapd source. The alternative is to use the new parse and rewrite features of syslog-ng 3.0.
First, you need to filter snmptrapd messages:
filter f_snmptrapd { program("snmptrapd"); };
Then we'd need to grab the first field of the message payload, where snmptrapd is configured to put it:
rewrite r_snmptrapd {
subst("^([^ ]+) (.*)$ ", "${2}");
set("${1}" value("HOST"));
};
Both rewrite expression kinds are demonstrated here:
- subst() has two arguments: the first is a regexp to search for, the second is a template to be substituted if there's a match
- set() has a single argument: a template to be used as the new value
Please NOTE that the new value is a template which makes it possible to use macros such as $HOST or $MESSAGE defined by syslog-ng.
Now let's wire the complete configuration together:
filter f_snmptrapd { program("snmptrapd"); };
rewrite r_snmptrapd {
subst("^([^ ]+) (.*)$ ", "${2}");
set("${1}" value("HOST"));
};
log {
source(s_all);
filter(f_snmptrapd);
rewrite(r_snmptrapd);
destination(d_all);
flags(final);
};
log {
source(s_all);
destination(d_all);
flags(final);
};
Of course this is only an example of the power of what syslog-ng is now capable of doing. Please let me know if you can think of other uses.
The current 3.0 branch of syslog-ng has not been released yet, it is available in the git repository at git.balabit.hu, and also as nightly snapshots.
I'd be grateful for any kind of feedback you might have, please post it either as comments on this blog, or to the mailing list.
Comments
destination d_snmp { program("yourscript.sh");}
where yourscript.sh would read the matching messages from its stdin and send them out by invoking snmptrap.