Create cleaner snmptrapd logs

_joe — Wed, 19 Feb 2020 17:51:42 GMT

Hello All,

I was wondering if there is a way to cleanup the key value pair logging inside of snmptrapd? I am ingesting these logs with a UF and I do not want to perform rex sed from my indexers. Thanks.

Here is my current format string

vi /etc/snmp/snmptrapd.conf
format2 Date = %y-%02.2m-%02.2l %02.2h:%02.2j:%02.2k\n%V\n%v\n---\n

My logs look like this:
CISCO-LWAPP-DOT11-CLIENT-MIB::cldcApMacAddress.'....6C' = mac-address
CISCO-LWAPP-DOT11-CLIENT-MIB::cldcClientByIpAddressType.0 = ipv4
CISCO-LWAPP-DOT11-CLIENT-MIB::cldcClientUsername.'@&....' = name
CISCO-LWAPP-DOT11-CLIENT-MIB::cldcClientSSID.'@&....' = Employee
CISCO-LWAPP-DOT11-CLIENT-MIB::cldcClientSessionID.'@&....' = id
CISCO-LWAPP-DOT11-CLIENT-MIB::cldcApMacAddress.'@&....' = mac

I would like them to look like this (before ingesting them into Splunk)
cldcApMacAddress = mac-address
cldcClientByIpAddressType = ipv4

If that isn't possible, I would at least like to remove the random characters (example: "@&...." and "'....6C'"). I am not sure why they are generating.

Re: Create cleaner snmptrapd logs

bgraabek_splunk — Thu, 20 Feb 2020 14:36:59 GMT

Perform the cleanup in, say, a looping script that writes the cleaned up events to a separate log file and then have the UF pick up events from that log file?

Re: Create cleaner snmptrapd logs

_joe — Mon, 24 Feb 2020 15:17:18 GMT

I appreciate the feedback. At that point, I will just use rex mode=sed though. I would like to know if it would be possible to do this in snmptrapd since, I am assuming, that would be most efficient.

topic Re: Create cleaner snmptrapd logs in Getting Data In

Create cleaner snmptrapd logs

Re: Create cleaner snmptrapd logs

Re: Create cleaner snmptrapd logs