Solved

SNMP logs on Linux

Posted on 2013-01-14
8
937 Views
Last Modified: 2013-01-21
Hello,
We have an issue with our Linux and HPUX boxes on the logs that are created by SNMP monitoring.

The logs are full of lines like this:

Jan  9 09:53:23 monitored server snmpd[7328]: Received SNMP packet(s) from UDP: [xx.xxx.xxx.xx]:62547
Jan  9 09:53:23 monitored server snmpd[7328]: Connection from UDP: [xx.xxx.xxx.xx]:62547
Jan  9 09:53:23 monitored server last message repeated 5 times
Jan  9 09:53:25 monitored server snmpd[7328]: Connection from UDP: [xx.xxx.xxx.xx]:54926
Jan  9 09:53:25 monitored server snmpd[7328]: Received SNMP packet(s) from UDP: [xx.xxx.xxx.xx]:54926
Jan  9 09:53:25 monitored server snmpd[7328]: Connection from UDP: [xx.xxx.xxx.xx]:54926
Jan  9 09:53:25 monitored server last message repeated 7 times
Jan  9 09:54:08 monitored server snmpd[7328]: Connection from UDP: [xx.xxx.xxx.xx]:52233
Jan  9 09:54:08 monitored server snmpd[7328]: Received SNMP packet(s) from UDP: [xx.xxx.xxx.xx]:52233
Jan  9 09:54:38 monitored server snmpd[7328]: Connection from UDP: [xx.xxx.xxx.xx]:49610
Jan  9 09:54:38 monitored server snmpd[7328]: Received SNMP packet(s) from UDP: [xx.xxx.xxx.xx]:49610
Jan  9 09:54:47 monitored server snmpd[7328]: Connection from UDP: [xx.xxx.xxx.xx]:61334
Jan  9 09:54:47 monitored server snmpd[7328]: Received SNMP packet(s) from UDP: [xx.xxx.xxx.xx]:61334
Jan  9 09:55:09 monitored server snmpd[7328]: Connection from UDP: [xx.xxx.xxx.xx]:64176
Jan  9 09:55:09 monitored server snmpd[7328]: Received SNMP packet(s) from UDP: [xx.xxx.xxx.xx]:64176
Jan  9 09:55:09 monitored server snmpd[7328]: Connection from UDP: [xx.xxx.xxx.xx]:64176
Jan  9 09:55:25 monitored server snmpd[7328]: Connection from UDP: [xx.xxx.xxx.xx]:51500
Jan  9 09:55:25 monitored server snmpd[7328]: Received SNMP packet(s) from UDP: [xx.xxx.xxx.xx]:51500
Jan  9 09:55:25 monitored server snmpd[7328]: Connection from UDP: [xx.xxx.xxx.xx]:51500
Jan  9 09:55:25 monitored server last message repeated 7 times
Jan  9 09:56:03 monitored server snmpd[7328]: Connection from UDP: [xx.xxx.xxx.xx]:59116


The issue is that the logs are getting full, so, I´d like to remove this logging on the monitored servers.
Thanks in advance for your help
0
Comment
Question by:andressk
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
  • 2
8 Comments
 
LVL 78

Expert Comment

by:arnold
ID: 38775672
The log entries suggest connections from remote system I.e. hp openview or something similar.

You need to make sure that you have a log rotation process in place to manage their size.
Is the IP reflected in the log the same?
Do the systems that are referenced have snmp monitoring, poling functions?
0
 

Author Comment

by:andressk
ID: 38775736
Hello Arnold,

Thanks for your reply.

Below are the answers:

Yes, the IP reflected in the log is the same of the monitoring tool.
No, the monitored boxes don´t have polling functions, they are only monitored by snmp for resources and for some processes.

How works the log rotation process or how can I avoid the writing on these logs?

Regards
0
 
LVL 5
ID: 38775781
Hello Andressk,

I see that you are looking for filtering out these messages , some thing like input filter. I am not much of a linux guy, but I am pretty sure, Your Device who ever is generating this log, should have a good capability to avoid sending this log message to this server. Can you let me know what sort of device is generating these logs , are they Linux/hp server itself , if thats the case the you should very well have a regex to filter the incoming log as well.

Regards
Rakesh M
0
Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

 
LVL 78

Expert Comment

by:arnold
ID: 38775936
The monitoring function is a polling function.
i.e. polling means connecting via SNMP and requesting a specific parameter/s.

on Linux there is a logrotate /etc/logrotate.d
where you create a config file that will rotate the snmp log file you were accessing and.

I am unfamiliar with AIX's log management.
http://www.web-manual.net/aix/managing-log-rotation-for-aix/

Avoid writing into the logs can be done in two ways, one way you can disable snmpd.* within the configuration in /etc/syslog.conf or a syslog variant.
Depending on which SNMP is in use, it may have an option not to record SNMP connection events.
0
 

Author Comment

by:andressk
ID: 38776018
Hi Rakesh,

It´s happening on all Linux boxes (red hat and ubuntu), not only on a specific one. The tool that we are using has not other configuration options for filtering, so, the change has to be done on the servers.

Thanks
0
 
LVL 5

Assisted Solution

by:Rakesh Madupu JNCIE-SP #02079 CCIE-SP#47613
Rakesh Madupu JNCIE-SP #02079 CCIE-SP#47613 earned 250 total points
ID: 38776060
Well, the log looks like they are at Log level 6 which are informational, and it does not indicate any error on the system , but as per the below article ,if you are going to disable log level 6 logging ,you are going to miss out on many log level 6 messages as well. The following webpage was suggested by one of my friends in a quick chat . This might help you ,i do this everyday on a router and switch so this be possible on a server end, just that i have never done this before :)

http://www.stat.auckland.ac.nz/~kimihia/net-snmp

Regards
0
 

Author Comment

by:andressk
ID: 38776069
Hi Arnold,

Can you please give me a step by step process to avoid writing into the log on a Red Hat Enterprise Linux Server with snmpd enabled?

Thank you
0
 
LVL 78

Accepted Solution

by:
arnold earned 250 total points
ID: 38776268
editor nano, vi
/etc/syslog.conf or /etc/rsyslog.conf

search for snmpd or the log filename to which the entry is currently being added
either change from snmpd.<something> to
snmpd.none  
ps -ef | grep syslog

if it is a file, comment the line out
#line with /var/log/snmp.log
0

Featured Post

PeopleSoft Has Never Been Easier

PeopleSoft Adoption Made Smooth & Simple!

On-The-Job Training Is made Intuitive & Easy With WalkMe's On-Screen Guidance Tool.  Claim Your Free WalkMe Account Now

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

It’s 2016. Password authentication should be dead — or at least close to dying. But, unfortunately, it has not traversed Quagga stage yet. Using password authentication is like laundering hotel guest linens with a washboard — it’s Passé.
In the first part of this tutorial we will cover the prerequisites for installing SQL Server vNext on Linux.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
How to Install VMware Tools in Red Hat Enterprise Linux 6.4 (RHEL 6.4) Step-by-Step Tutorial
Suggested Courses

732 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question