#2513 snmptrapd logs to wrong syslog facility

Peter Eckel

Software version is 5.5, installed via RPM on CentOS 6.4:

net-snmp.x86_64        1:5.5-44.el6_4.4 @updates                                
net-snmp-libs.x86_64   1:5.5-44.el6_4.4 @updates                                
net-snmp-utils.x86_64  1:5.5-44.el6_4.4 @updates                                
[root@mucnvmonpapc01 ucce-eventlog]# snmptrapd --version 

NET-SNMP Version:  5.5
Web:               http://www.net-snmp.org/
Email:             net-snmp-coders@lists.sourceforge.net

When I start snmptrapd with the 'log to syslog' option '-Ls4' (which should cause the log entries to be logged to the 'local4' facility), for each trap/inform received I get two log entries, the first one of which is actually logged to 'local4:info' and the second one of which invariably gets the 'user:notice' facility/severity information:

Nov 25 18:39:23 mucnvmonpapc01 <local4:info> snmptrapd[20826]: 2013-11-25 18:39:23 localhost [UDP: []:41853->[]]:
Nov 25 18:39:23 mucnvmonpapc01 <user:notice> DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (0) 0:00:00.00    SNMPv2-MIB::snmpTrapOID.0 = OID: CISCO-CONTACT-CENTER-APPS-MIB::cccaIcmEvent    [...]

This means that it is not possible to sensibly file the received traps into a specific log file using the facility/severity code.

It is also not very straightforward to log the traps as two syslog messages, with the second one lacking any 'program' field that could be used for filtering.


  • Bill Fenner

    Bill Fenner - 2013-12-11

    Can you share your snmptrapd.conf? It looks like you've defined a format string with an embedded "\n". That is not the default format for syslogged traps in net-snmp 5.5.

  • Peter Eckel

    Peter Eckel - 2013-12-11

    Hi Bill,


    com2sec ucceCUIC xxxx # MUCCMSRPP11, MUCCMSRPP12
    com2sec ucceCUIC xxxx # MUCCMSRPT11, MUCCMSRPT12

    com2sec ucceCCCA xxxx # MUCCMSDAP11
    com2sec ucceCCCA xxxx # MUCCMSDAP12
    com2sec ucceCCCA xxxx # MUCCMSDAT1
    com2sec ucceCCCA xxxx # MUCCMSDAT2

    com2sec ucceTEST public # TEST

    group ucceCUICGroup v2c ucceCUIC

    group ucceCCCAGroup v2c ucceCCCA

    group ucceTESTGroup v2c ucceTEST

    view ucceCCCAView included CISCO-CONTACT-CENTER-APPS-MIB::cccaIcmEvent

    view ucceCUICView included CISCO-CUICAPPS-MIB::ciscoCuicappsMIBEvent

    view ucceTESTView included CISCO-CONTACT-CENTER-APPS-MIB::cccaIcmEvent
    view ucceTESTView included CISCO-CUICAPPS-MIB::ciscoCuicappsMIBEvent

    setaccess ucceCUICGroup "" v2c noauth prefix log ucceCUICView

    setaccess ucceCCCAGroup "" v2c noauth prefix log ucceCCCAView

    setaccess ucceTESTGroup "" v2c noauth prefix log ucceTESTView

    As you see, I did not define a format string at all, neither in the conf file nor on the command line (which is '/usr/sbin/snmptrapd -p /var/run/snmptrapd.pid -M+/opt/sec/share/snmp/mibs -Ls4').

    Last edit: Peter Eckel 2013-12-11
  • Bill Fenner

    Bill Fenner - 2013-12-11

    Oops. I didn't read deeply enough.

    Try adding these two format lines:

    format1 %a: %W Trap (%q) Uptime: %#T%#v\n
    format2 %B [%b]: Trap %#v\n

    to your snmptrapd.conf. It turns out that these are the format strings defined for syslog, but the syslog handler is only used if you have no logging options; otherwise the "print to net-snmp log" is used, which uses the format that you see.

  • Peter Eckel

    Peter Eckel - 2013-12-11

    Hi Bill,

    thanks a lot - that was exactly the right hint. I did not really suspect that the format string would default to the somewhat wierd one it actually does ...

    Defining the format strings is definitely a usable workaround.

    Thanks again,



Log in to post a comment.