Solved

SNMP logs on Linux

Posted on 2013-01-14
8
861 Views
Last Modified: 2013-01-21
Hello,
We have an issue with our Linux and HPUX boxes on the logs that are created by SNMP monitoring.

The logs are full of lines like this:

Jan  9 09:53:23 monitored server snmpd[7328]: Received SNMP packet(s) from UDP: [xx.xxx.xxx.xx]:62547
Jan  9 09:53:23 monitored server snmpd[7328]: Connection from UDP: [xx.xxx.xxx.xx]:62547
Jan  9 09:53:23 monitored server last message repeated 5 times
Jan  9 09:53:25 monitored server snmpd[7328]: Connection from UDP: [xx.xxx.xxx.xx]:54926
Jan  9 09:53:25 monitored server snmpd[7328]: Received SNMP packet(s) from UDP: [xx.xxx.xxx.xx]:54926
Jan  9 09:53:25 monitored server snmpd[7328]: Connection from UDP: [xx.xxx.xxx.xx]:54926
Jan  9 09:53:25 monitored server last message repeated 7 times
Jan  9 09:54:08 monitored server snmpd[7328]: Connection from UDP: [xx.xxx.xxx.xx]:52233
Jan  9 09:54:08 monitored server snmpd[7328]: Received SNMP packet(s) from UDP: [xx.xxx.xxx.xx]:52233
Jan  9 09:54:38 monitored server snmpd[7328]: Connection from UDP: [xx.xxx.xxx.xx]:49610
Jan  9 09:54:38 monitored server snmpd[7328]: Received SNMP packet(s) from UDP: [xx.xxx.xxx.xx]:49610
Jan  9 09:54:47 monitored server snmpd[7328]: Connection from UDP: [xx.xxx.xxx.xx]:61334
Jan  9 09:54:47 monitored server snmpd[7328]: Received SNMP packet(s) from UDP: [xx.xxx.xxx.xx]:61334
Jan  9 09:55:09 monitored server snmpd[7328]: Connection from UDP: [xx.xxx.xxx.xx]:64176
Jan  9 09:55:09 monitored server snmpd[7328]: Received SNMP packet(s) from UDP: [xx.xxx.xxx.xx]:64176
Jan  9 09:55:09 monitored server snmpd[7328]: Connection from UDP: [xx.xxx.xxx.xx]:64176
Jan  9 09:55:25 monitored server snmpd[7328]: Connection from UDP: [xx.xxx.xxx.xx]:51500
Jan  9 09:55:25 monitored server snmpd[7328]: Received SNMP packet(s) from UDP: [xx.xxx.xxx.xx]:51500
Jan  9 09:55:25 monitored server snmpd[7328]: Connection from UDP: [xx.xxx.xxx.xx]:51500
Jan  9 09:55:25 monitored server last message repeated 7 times
Jan  9 09:56:03 monitored server snmpd[7328]: Connection from UDP: [xx.xxx.xxx.xx]:59116


The issue is that the logs are getting full, so, I´d like to remove this logging on the monitored servers.
Thanks in advance for your help
0
Comment
Question by:andressk
  • 3
  • 3
  • 2
8 Comments
 
LVL 76

Expert Comment

by:arnold
ID: 38775672
The log entries suggest connections from remote system I.e. hp openview or something similar.

You need to make sure that you have a log rotation process in place to manage their size.
Is the IP reflected in the log the same?
Do the systems that are referenced have snmp monitoring, poling functions?
0
 

Author Comment

by:andressk
ID: 38775736
Hello Arnold,

Thanks for your reply.

Below are the answers:

Yes, the IP reflected in the log is the same of the monitoring tool.
No, the monitored boxes don´t have polling functions, they are only monitored by snmp for resources and for some processes.

How works the log rotation process or how can I avoid the writing on these logs?

Regards
0
 
LVL 5
ID: 38775781
Hello Andressk,

I see that you are looking for filtering out these messages , some thing like input filter. I am not much of a linux guy, but I am pretty sure, Your Device who ever is generating this log, should have a good capability to avoid sending this log message to this server. Can you let me know what sort of device is generating these logs , are they Linux/hp server itself , if thats the case the you should very well have a regex to filter the incoming log as well.

Regards
Rakesh M
0
 
LVL 76

Expert Comment

by:arnold
ID: 38775936
The monitoring function is a polling function.
i.e. polling means connecting via SNMP and requesting a specific parameter/s.

on Linux there is a logrotate /etc/logrotate.d
where you create a config file that will rotate the snmp log file you were accessing and.

I am unfamiliar with AIX's log management.
http://www.web-manual.net/aix/managing-log-rotation-for-aix/

Avoid writing into the logs can be done in two ways, one way you can disable snmpd.* within the configuration in /etc/syslog.conf or a syslog variant.
Depending on which SNMP is in use, it may have an option not to record SNMP connection events.
0
Get up to 2TB FREE CLOUD per backup license!

An exclusive Black Friday offer just for Expert Exchange audience! Buy any of our top-rated backup solutions & get up to 2TB free cloud per system! Perform local & cloud backup in the same step, and restore instantly—anytime, anywhere. Grab this deal now before it disappears!

 

Author Comment

by:andressk
ID: 38776018
Hi Rakesh,

It´s happening on all Linux boxes (red hat and ubuntu), not only on a specific one. The tool that we are using has not other configuration options for filtering, so, the change has to be done on the servers.

Thanks
0
 
LVL 5

Assisted Solution

by:Rakesh Madupu JNCIE-SP #02079 CCIE-SP#47613
Rakesh Madupu JNCIE-SP #02079 CCIE-SP#47613 earned 250 total points
ID: 38776060
Well, the log looks like they are at Log level 6 which are informational, and it does not indicate any error on the system , but as per the below article ,if you are going to disable log level 6 logging ,you are going to miss out on many log level 6 messages as well. The following webpage was suggested by one of my friends in a quick chat . This might help you ,i do this everyday on a router and switch so this be possible on a server end, just that i have never done this before :)

http://www.stat.auckland.ac.nz/~kimihia/net-snmp

Regards
0
 

Author Comment

by:andressk
ID: 38776069
Hi Arnold,

Can you please give me a step by step process to avoid writing into the log on a Red Hat Enterprise Linux Server with snmpd enabled?

Thank you
0
 
LVL 76

Accepted Solution

by:
arnold earned 250 total points
ID: 38776268
editor nano, vi
/etc/syslog.conf or /etc/rsyslog.conf

search for snmpd or the log filename to which the entry is currently being added
either change from snmpd.<something> to
snmpd.none  
ps -ef | grep syslog

if it is a file, comment the line out
#line with /var/log/snmp.log
0

Featured Post

Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

Join & Write a Comment

As companies replace their old PBX phone systems with Unified IP Communications, many are finding out that legacy applications such as fax do not work well with VoIP. Fortunately, Cloud Faxing provides a cost-effective alternative that works over an…
PRTG Network Monitor lets you monitor your bandwidth usage, so you know who is using up your bandwidth, and what they're using it for.
Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now