From e8a71cd0d6ea72cb6495305286cb778b9d951e0c Mon Sep 17 00:00:00 2001 From: Rainer Gerhards Date: Tue, 10 May 2011 09:04:23 +0200 Subject: mmsnmptrapd: added doc & mentioned in ChangeLog --- doc/Makefile.am | 1 + doc/mmsnmptrapd.html | 92 +++++++++++++++++++++++++++++++++++++++++++ doc/rsyslog_conf_modules.html | 9 +++++ 3 files changed, 102 insertions(+) create mode 100644 doc/mmsnmptrapd.html (limited to 'doc') diff --git a/doc/Makefile.am b/doc/Makefile.am index a5393cbe..91d92afd 100644 --- a/doc/Makefile.am +++ b/doc/Makefile.am @@ -48,6 +48,7 @@ html_files = \ imuxsock.html \ imklog.html \ pmlastmsg.html \ + mmsnmptrapd.html \ queues.html \ src/queueWorkerLogic.dia \ queueWorkerLogic.jpg \ diff --git a/doc/mmsnmptrapd.html b/doc/mmsnmptrapd.html new file mode 100644 index 00000000..e69bc241 --- /dev/null +++ b/doc/mmsnmptrapd.html @@ -0,0 +1,92 @@ + + + + +mmsnmptrapd message modification module + + + +back to rsyslog module overview + +

mmsnmptrapd message modification module

Module Name: imtcp

Author: Rainer Gerhards <rgerhards@adiscon.com> (custom-created)

Multi-Ruleset Support: since 5.8.1 +

Description:

This module uses a specific configuration of snmptrapd's tag values to +obtain information of the original source system and the severity present inside the +original SNMP trap. It then replaces these fields inside the syslog message. +

Let's look at an example. Essentially, SNMPTT will invoke something like this: +

logger -t snmptrapd/warning/realhost Host 003c.abcd.ffff in vlan 17 is flapping between port Gi4/1 and port Gi3/2 
+

+This message modification module will change the tag (removing the additional information), +hostname and severity (not shown in example), so the log entry will look as follows: +

+2011-04-21T16:43:09.101633+02:00 realhost snmptrapd: Host 003c.abcd.ffff in vlan 122 is flapping between port Gi4/1 and port Gi3/2 
+

+The following logic is applied to all message being processed: +

The module checks incoming syslog entries. If their TAG field starts with "snmptrapd/" +(configurable), they are modified, otherwise not. If the are modified, this happens as follows: +
It will derive the hostname from the tag field which has format snmptrapd/severity/hostname +
It should derive the severity from the tag field which has format +snmptrapd/severity/hostname. A configurable mapping table will be used to drive a new +severity value from that severity string. If no mapping has been defined, the original +severity is not changed. +
It replaces the "FromHost" value with the derived value from step2 +
It replaces the "Severity" value with the derived value from step 3 +

Note that the placement of this module inside the configuration is important. All actions +before this modules is called will work on the unmodified message. All messages after it's call +will work on the modified message. Please also note that there is some extra power in case it +is required: as this module is implemented via the output module interface, a filter +can be used (actually must be used) in order to tell when it is called. Usually, the catch-all +filter (*.*) is used, but more specific filters are fully supported. So it is possible to define +different parameters for this module depending on different filters. It is also possible to +just run messages from one remote system through this module, with the help of filters or +multiple rulesets and ruleset bindings. In short words, all capabilities rsyslog offers +to control output modules are also available to mmsnmptrapd. +

Configuration Directives:

$mmsnmptrapdTag [tagname]
+tells the module which start string inside the tag to look for. The default is +"snmptrap/" +
$mmsnmptrapdSevertiyMapping [severtiymap]
+This specifies the severity mapping table. It needs to be specified as a list. Note that +due to the current config system no whitespace is supported inside the list, so be +sure not to use any whitespace inside it.
+The list is constructed of Severtiy-Name/Severity-Value pairs, delimited by comma. +Severity-Name is a case-sensitive string, e.g. "warning" and an associated +numerical value (e.g. 4). +Possible values are in the rage 0..7 and are defined in RFC5424, table 2. The +given sample would be specified as "warning/4".
+If multiple instances of mmsnmptrapd are used, each instance uses the most recently +defined $mmsnmptrapdSeverityMapping before itself. +

+Caveats/Known Bugs: +

currently none known

Example:

This enables to rewrite messages from snmptrapd and configures error and warning +severities. The default tag is used.
+

+ +

[rsyslog.conf overview] +[manual index] [rsyslog site]

+ + diff --git a/doc/rsyslog_conf_modules.html b/doc/rsyslog_conf_modules.html index 74aa319c..b03313f5 100644 --- a/doc/rsyslog_conf_modules.html +++ b/doc/rsyslog_conf_modules.html @@ -99,6 +99,15 @@ the methods the engine provides. They could be used, for example, to:

anonymize message content

add dynamically computed content to message (fields) +

Message modification modules are usually written for one specific task and thus +usually are not generic enough to be reused. However, existing module's code is +probably an excellent starting base for writing a new module. Currently, the following +modules existin inside the source tree +

mmsnmptrapd - uses information provided by snmptrapd inside +the tag to correct the original sender system and priority of messages. Implemented via +the output module interface. +

String Generator Modules

String generator modules are used, as the name implies, to generate strings based -- cgit