6.9. snmptrap: Read Net-SNMP traps
snmptrap() source, you can read and parse the SNMP traps of the Net-SNMP's
snmptrapd application. syslog-ng PE can read these traps from a log file, and extract their content into name-value pairs, making it easy to forward them as a structured log message (for example, in JSON format). The syslog-ng PE application automatically adds the
.snmp. prefix to the name of the fields the extracted from the message.
snmptrap() source is available in syslog-ng PE version 7.0.3 and later.
snmptrap()source has only the options listed in Section 6.9.1, snmptrap() source options. Other options commonly available in other source drivers are not supported.
In addition to traps, the log of
snmptrapdmay contain other messages (for example, daemon start/stop information, debug logs) as well. Currently syslog-ng PE discards these messages.
Because of a bug, snmptrapd does not escape String values in the VarBindList if it can resolve an OID to a symbolic name. As a result, syslog-ng PE cannot process traps that contain the
=in the value of the string. To overcome this problem, disable resolving OIDs in snmptrapd.
The colon (
:) character is commonly used in SNMP traps. However, this character cannot be used in the name of syslog-ng PE macros (name-value pairs). Therefore, the syslog-ng PE application automatically replaces all consecutive
:characters with a single underscore (
_) character. For example, you can reference the value of the
NET-SNMP-EXAMPLES-MIB::netSnmpExampleStringkey using the
Note that this affects only name-value pairs (macros). The generated message always contains the original name of the key.
Configure snmptrapd to log into a file.
If you use SMIv1 traps, include the following format string in the configuration file of snmptrapd:
format1 %.4y-%.2m-%.2l %.2h:%.2j:%.2k %B [%b]: %N\n\t%W Trap (%q) Uptime: %#T\n%v\n
If you use SMIv2 traps, use the default format. The
snmptrap()source of syslog-ng PE expects this default format:
format2 %.4y-%.2m-%.2l %.2h:%.2j:%.2k %B [%b]:\n%v\n
Beacause of an snmptrapd bug, if you specify the filename in the configuration file with
logOption, you must also specify another output as a command line argument (-Lf, -Ls). Otherwise, snmptrapd will not apply the the trap format.
To use the
snmptrap() driver, the
scl.conf file must be included in your syslog-ng PE configuration: