SNMP and SysLog Facilities

Question

I would like to send an SNMP trap every time a message is logged to the em log (local4).  I don't see how to do that in the /config/user_alert.conf or /etc/alertd/alert.conf files.  I have found the following document about how to set these up, but that doesn't seem to tell me how to specify the facility: 
&nbsp;  
&nbsp; http://devcentral.f5.com/Default.aspx?tabid=63&amp;articleType=ArticleView&amp;articleId=256 
&nbsp;  
&nbsp; How do I specify this?

hoolio · Answer

Hi kiroc, 
&nbsp;  
&nbsp; I don't think the syslog facility is included in the message body, so you couldn't easily do this with the default syslog-ng configuration.  You could use a template to modify just the syslog4 messages to insert a string to distinguish them.  You'd then need to modify the alertd configuration to trigger an snmp trap for those messages. 
&nbsp;  
&nbsp; This post has some related info and links that might help you get started: 
&nbsp;  
&nbsp; tmm entries for syslog 
&nbsp; http://devcentral.f5.com/Default.aspx?tabid=53&amp;view=topic&amp;postid=30779&amp;ptarget=30781 
&nbsp;  
&nbsp; Can you reply here if you get stuck or figure something out? 
&nbsp;  
&nbsp; Thanks, 
&nbsp; Aaron

jeremy_bridges_ · Answer

Thanks for the info.  I will definately reply back with anything I find out.

jeremy_bridges_ · Answer

By the way, would these TMM entries for syslog be overwritten if the LTM software was upgraded?

hoolio · Answer

In 9.4.2 and higher the custom syslog include file is stored in the bigip_sys.conf and should be preserved through an upgrade.  In prior versions I think the custom syslog.conf configuration could potentially be overwritten during an upgrade. 
&nbsp;  
&nbsp; Aaron

jeremy_bridges_ · Answer

I think I have followed all of the steps correctly, but I am not seeing the SNMP traps I am expecting.  To write the additions to the syslog config, I used these resources: 
  
 http://devcentral.f5.com/Default.aspx?tabid=63&amp;articleType=ArticleView&amp;articleId=155 
 http://sial.org/howto/logging/syslog-ng/ 
  
 The addition looks like this: 
  
 destination d_em { 
    file( 
       "/var/log/em" 
       create_dirs(yes) 
       template("$DATE $HOST &lt;$FACILITY.$PRIORITY&gt; $MSG
") 
       template_escape(no) 
    ); 
 }; 
  
 This does change what is recorded to the em log.  If I run the logger command: 
  
 logger -p local1.alert "testing" 
  
 The following is recorded to the em file: 
  
 Sep 23 17:04:39 local  alert jeremy: testing 
  
 My alert definition looks like this: 
  
 alert BIGIP_CUSTOM_ALL_LOCAL1 "(.*?)         snmptrap OID=".1.3.6.1.4.1.3375.1.1.110.205" 
 } 
  
 Using WireShark, I don't see any SNMP traps with that OID come out of the BIG-IP.  Other traps are working, but this one is not. 
  
 Does the match string only match on the $MSG portion of the log line?  If so, I don't see how I can use just the syslog config to trigger an SNMP trap.  For, I don't think I can modify the $MSG variable.

Forum Discussion

SNMP and SysLog Facilities

Recent Discussions

Need Urgent BIGIP Trial License and VM Image

nginx-ingress and CVE-2025-1974 (aka IngressNightmare)

AFM deny log level

History Current Connections from Local pool Traffic.

Persistent hash iRule

Related Content

Load Balancing TCP TLS Encrypted Syslog Messages

Changing the BIG-IP Default Syslog-NG Facilities

Tools and facilities to troubleshoot HTTP/3 over QUIC with the BIG-IP system

snmp-check external monitor

Custom SNMP Traps

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS