#2513 snmptrapd logs to wrong syslog facility

64-bit
open
nobody
5
2015-01-20
2013-11-26
Peter Eckel
No

Software version is 5.5, installed via RPM on CentOS 6.4:

net-snmp.x86_64        1:5.5-44.el6_4.4 @updates                                
net-snmp-libs.x86_64   1:5.5-44.el6_4.4 @updates                                
net-snmp-utils.x86_64  1:5.5-44.el6_4.4 @updates                                
[root@mucnvmonpapc01 ucce-eventlog]# snmptrapd --version 

NET-SNMP Version:  5.5
Web:               http://www.net-snmp.org/
Email:             net-snmp-coders@lists.sourceforge.net

When I start snmptrapd with the 'log to syslog' option '-Ls4' (which should cause the log entries to be logged to the 'local4' facility), for each trap/inform received I get two log entries, the first one of which is actually logged to 'local4:info' and the second one of which invariably gets the 'user:notice' facility/severity information:

Nov 25 18:39:23 mucnvmonpapc01 <local4:info> snmptrapd[20826]: 2013-11-25 18:39:23 localhost [UDP: [127.0.0.1]:41853->[127.0.0.1]]:
Nov 25 18:39:23 mucnvmonpapc01 <user:notice> DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (0) 0:00:00.00    SNMPv2-MIB::snmpTrapOID.0 = OID: CISCO-CONTACT-CENTER-APPS-MIB::cccaIcmEvent    [...]

This means that it is not possible to sensibly file the received traps into a specific log file using the facility/severity code.

It is also not very straightforward to log the traps as two syslog messages, with the second one lacking any 'program' field that could be used for filtering.

Discussion

  • Bill Fenner
    Bill Fenner
    2013-12-11

    Can you share your snmptrapd.conf? It looks like you've defined a format string with an embedded "\n". That is not the default format for syslogged traps in net-snmp 5.5.

     
  • Peter Eckel
    Peter Eckel
    2013-12-11

    Hi Bill,

    sure:

    com2sec ucceCUIC 172.19.139.18/31 xxxx # MUCCMSRPP11, MUCCMSRPP12
    com2sec ucceCUIC 172.26.181.84/31 xxxx # MUCCMSRPT11, MUCCMSRPT12

    com2sec ucceCCCA 172.19.139.7/32 xxxx # MUCCMSDAP11
    com2sec ucceCCCA 172.19.139.8/32 xxxx # MUCCMSDAP12
    com2sec ucceCCCA 172.26.181.72/32 xxxx # MUCCMSDAT1
    com2sec ucceCCCA 172.26.181.15/32 xxxx # MUCCMSDAT2

    com2sec ucceTEST 127.0.0.1/32 public # TEST

    group ucceCUICGroup v2c ucceCUIC

    group ucceCCCAGroup v2c ucceCCCA

    group ucceTESTGroup v2c ucceTEST

    view ucceCCCAView included CISCO-CONTACT-CENTER-APPS-MIB::cccaIcmEvent

    view ucceCUICView included CISCO-CUICAPPS-MIB::ciscoCuicappsMIBEvent

    view ucceTESTView included CISCO-CONTACT-CENTER-APPS-MIB::cccaIcmEvent
    view ucceTESTView included CISCO-CUICAPPS-MIB::ciscoCuicappsMIBEvent

    setaccess ucceCUICGroup "" v2c noauth prefix log ucceCUICView

    setaccess ucceCCCAGroup "" v2c noauth prefix log ucceCCCAView

    setaccess ucceTESTGroup "" v2c noauth prefix log ucceTESTView

    As you see, I did not define a format string at all, neither in the conf file nor on the command line (which is '/usr/sbin/snmptrapd -p /var/run/snmptrapd.pid -M+/opt/sec/share/snmp/mibs -Ls4').

     
    Last edit: Peter Eckel 2013-12-11
  • Bill Fenner
    Bill Fenner
    2013-12-11

    Oops. I didn't read deeply enough.

    Try adding these two format lines:

    format1 %a: %W Trap (%q) Uptime: %#T%#v\n
    format2 %B [%b]: Trap %#v\n
    

    to your snmptrapd.conf. It turns out that these are the format strings defined for syslog, but the syslog handler is only used if you have no logging options; otherwise the "print to net-snmp log" is used, which uses the format that you see.

     
  • Peter Eckel
    Peter Eckel
    2013-12-11

    Hi Bill,

    thanks a lot - that was exactly the right hint. I did not really suspect that the format string would default to the somewhat wierd one it actually does ...

    Defining the format strings is definitely a usable workaround.

    Thanks again,

    Peter.