For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Jeremy_Bridges_'s avatar
Jeremy_Bridges_
Icon for Nimbostratus rankNimbostratus
Sep 15, 2009

SNMP and SysLog Facilities

I would like to send an SNMP trap every time a message is logged to the em log (local4). I don't see how to do that in the /config/user_alert.conf or /etc/alertd/alert.conf files. I have found the f...
management
monitoring
Jeremy_Bridges_'s avatar
Jeremy_Bridges_
Icon for Nimbostratus rankNimbostratus
Sep 23, 2009
I think I have followed all of the steps correctly, but I am not seeing the SNMP traps I am expecting. To write the additions to the syslog config, I used these resources:

http://devcentral.f5.com/Default.aspx?tabid=63&articleType=ArticleView&articleId=155

http://sial.org/howto/logging/syslog-ng/

The addition looks like this: 

destination d_em { 
    file( 
       "/var/log/em" 
       create_dirs(yes) 
       template("$DATE $HOST <$FACILITY.$PRIORITY> $MSG\n") 
       template_escape(no) 
    ); 
 };

This does change what is recorded to the em log. If I run the logger command: 

logger -p local1.alert "testing"

The following is recorded to the em file: 

Sep 23 17:04:39 local  alert jeremy: testing

My alert definition looks like this: 

alert BIGIP_CUSTOM_ALL_LOCAL1 "(.*?)         snmptrap OID=".1.3.6.1.4.1.3375.1.1.110.205" 
 }

Using WireShark, I don't see any SNMP traps with that OID come out of the BIG-IP. Other traps are working, but this one is not.

Does the match string only match on the $MSG portion of the log line? If so, I don't see how I can use just the syslog config to trigger an SNMP trap. For, I don't think I can modify the $MSG variable.