For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Jeremy_Bridges_'s avatar
Jeremy_Bridges_
Icon for Nimbostratus rankNimbostratus
Sep 15, 2009

SNMP and SysLog Facilities

I would like to send an SNMP trap every time a message is logged to the em log (local4). I don't see how to do that in the /config/user_alert.conf or /etc/alertd/alert.conf files. I have found the following document about how to set these up, but that doesn't seem to tell me how to specify the facility:

 

 

http://devcentral.f5.com/Default.aspx?tabid=63&articleType=ArticleView&articleId=256

 

 

How do I specify this?
management
monitoring

5 Replies

  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Sep 16, 2009
    Hi kiroc,

     

     

    I don't think the syslog facility is included in the message body, so you couldn't easily do this with the default syslog-ng configuration. You could use a template to modify just the syslog4 messages to insert a string to distinguish them. You'd then need to modify the alertd configuration to trigger an snmp trap for those messages.

     

     

    This post has some related info and links that might help you get started:

     

     

    tmm entries for syslog

     

    http://devcentral.f5.com/Default.aspx?tabid=53&view=topic&postid=30779&ptarget=30781

     

     

    Can you reply here if you get stuck or figure something out?

     

     

    Thanks,

     

    Aaron
  • Jeremy_Bridges_'s avatar
    Jeremy_Bridges_
    Icon for Nimbostratus rankNimbostratus
    Sep 22, 2009
    By the way, would these TMM entries for syslog be overwritten if the LTM software was upgraded?
  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Sep 23, 2009
    In 9.4.2 and higher the custom syslog include file is stored in the bigip_sys.conf and should be preserved through an upgrade. In prior versions I think the custom syslog.conf configuration could potentially be overwritten during an upgrade.

     

     

    Aaron
  • Jeremy_Bridges_'s avatar
    Jeremy_Bridges_
    Icon for Nimbostratus rankNimbostratus
    Sep 23, 2009
    I think I have followed all of the steps correctly, but I am not seeing the SNMP traps I am expecting. To write the additions to the syslog config, I used these resources:

    http://devcentral.f5.com/Default.aspx?tabid=63&articleType=ArticleView&articleId=155

    http://sial.org/howto/logging/syslog-ng/

    The addition looks like this: 

    destination d_em { 
    file( 
       "/var/log/em" 
       create_dirs(yes) 
       template("$DATE $HOST <$FACILITY.$PRIORITY> $MSG\n") 
       template_escape(no) 
    ); 
 };

    This does change what is recorded to the em log. If I run the logger command: 

    logger -p local1.alert "testing"

    The following is recorded to the em file: 

    Sep 23 17:04:39 local  alert jeremy: testing

    My alert definition looks like this: 

    alert BIGIP_CUSTOM_ALL_LOCAL1 "(.*?)         snmptrap OID=".1.3.6.1.4.1.3375.1.1.110.205" 
 }

    Using WireShark, I don't see any SNMP traps with that OID come out of the BIG-IP. Other traps are working, but this one is not.

    Does the match string only match on the $MSG portion of the log line? If so, I don't see how I can use just the syslog config to trigger an SNMP trap. For, I don't think I can modify the $MSG variable.