(centos 7.x)
I have syslog-ng setup to parse snmptrapd messages so I can format them for later digestion. The issue is that syslog-ng only outputs the n-1 message. IE if there are 10 lines in snmptrapd.log syslog-ng only outputs 9 lines. If I send a new message to snmptrapd (message #11) then syslog-ng will output the 10th message.
syslog-ng.conf:
@version:3.27
@include "scl.conf"
log {
source {
snmptrap(filename("/var/log/snmptrapd.log"));
};
destination {
file("/var/log/syslog-ng.log");
};
};
snmptrapd.conf:
authCommunity log,execute,net public
authCommunity log,execute,net localtrap
format2 %.4y-%.2m-%.2l %.2h:%.2j:%.2k %B [%b]:\n%v\n
outputOption s
I've tried adding an additional newline to the end of format2 but it doesn't help. (snmptrapd.log does get the additional line though)
Currently, the
snmptrap()
source is implemented as a file source that parses the output of snmptrapd. snmptrapd logs are multi-line, the end of the given message is detected based on the prefix of the upcoming message, hence the unexpected behavior. These are ugly implementation details (limitations) of this plugin, it might eventually be replaced with a proper SNMP trap source.As a workaround, you can set
multi-line-timeout(10)
to process the last message with a 10-second delay.