Celebrate National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

SNMP logs on Linux

Posted on 2013-01-14
8
Medium Priority
?
1,098 Views
Last Modified: 2013-01-21
Hello,
We have an issue with our Linux and HPUX boxes on the logs that are created by SNMP monitoring.

The logs are full of lines like this:

Jan  9 09:53:23 monitored server snmpd[7328]: Received SNMP packet(s) from UDP: [xx.xxx.xxx.xx]:62547
Jan  9 09:53:23 monitored server snmpd[7328]: Connection from UDP: [xx.xxx.xxx.xx]:62547
Jan  9 09:53:23 monitored server last message repeated 5 times
Jan  9 09:53:25 monitored server snmpd[7328]: Connection from UDP: [xx.xxx.xxx.xx]:54926
Jan  9 09:53:25 monitored server snmpd[7328]: Received SNMP packet(s) from UDP: [xx.xxx.xxx.xx]:54926
Jan  9 09:53:25 monitored server snmpd[7328]: Connection from UDP: [xx.xxx.xxx.xx]:54926
Jan  9 09:53:25 monitored server last message repeated 7 times
Jan  9 09:54:08 monitored server snmpd[7328]: Connection from UDP: [xx.xxx.xxx.xx]:52233
Jan  9 09:54:08 monitored server snmpd[7328]: Received SNMP packet(s) from UDP: [xx.xxx.xxx.xx]:52233
Jan  9 09:54:38 monitored server snmpd[7328]: Connection from UDP: [xx.xxx.xxx.xx]:49610
Jan  9 09:54:38 monitored server snmpd[7328]: Received SNMP packet(s) from UDP: [xx.xxx.xxx.xx]:49610
Jan  9 09:54:47 monitored server snmpd[7328]: Connection from UDP: [xx.xxx.xxx.xx]:61334
Jan  9 09:54:47 monitored server snmpd[7328]: Received SNMP packet(s) from UDP: [xx.xxx.xxx.xx]:61334
Jan  9 09:55:09 monitored server snmpd[7328]: Connection from UDP: [xx.xxx.xxx.xx]:64176
Jan  9 09:55:09 monitored server snmpd[7328]: Received SNMP packet(s) from UDP: [xx.xxx.xxx.xx]:64176
Jan  9 09:55:09 monitored server snmpd[7328]: Connection from UDP: [xx.xxx.xxx.xx]:64176
Jan  9 09:55:25 monitored server snmpd[7328]: Connection from UDP: [xx.xxx.xxx.xx]:51500
Jan  9 09:55:25 monitored server snmpd[7328]: Received SNMP packet(s) from UDP: [xx.xxx.xxx.xx]:51500
Jan  9 09:55:25 monitored server snmpd[7328]: Connection from UDP: [xx.xxx.xxx.xx]:51500
Jan  9 09:55:25 monitored server last message repeated 7 times
Jan  9 09:56:03 monitored server snmpd[7328]: Connection from UDP: [xx.xxx.xxx.xx]:59116


The issue is that the logs are getting full, so, I´d like to remove this logging on the monitored servers.
Thanks in advance for your help
0
Comment
Question by:andressk
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
  • 2
8 Comments
 
LVL 79

Expert Comment

by:arnold
ID: 38775672
The log entries suggest connections from remote system I.e. hp openview or something similar.

You need to make sure that you have a log rotation process in place to manage their size.
Is the IP reflected in the log the same?
Do the systems that are referenced have snmp monitoring, poling functions?
0
 

Author Comment

by:andressk
ID: 38775736
Hello Arnold,

Thanks for your reply.

Below are the answers:

Yes, the IP reflected in the log is the same of the monitoring tool.
No, the monitored boxes don´t have polling functions, they are only monitored by snmp for resources and for some processes.

How works the log rotation process or how can I avoid the writing on these logs?

Regards
0
 
LVL 5
ID: 38775781
Hello Andressk,

I see that you are looking for filtering out these messages , some thing like input filter. I am not much of a linux guy, but I am pretty sure, Your Device who ever is generating this log, should have a good capability to avoid sending this log message to this server. Can you let me know what sort of device is generating these logs , are they Linux/hp server itself , if thats the case the you should very well have a regex to filter the incoming log as well.

Regards
Rakesh M
0
PowerShell Core for Advanced Linux Administrators

Understand advanced principals around Powershell Core with a focus on the Linux Administrator.  This course covers how to administer numerous environments across multiple platforms including Linux, Azure, AWS, and Google Cloud from a single shell instance.

 
LVL 79

Expert Comment

by:arnold
ID: 38775936
The monitoring function is a polling function.
i.e. polling means connecting via SNMP and requesting a specific parameter/s.

on Linux there is a logrotate /etc/logrotate.d
where you create a config file that will rotate the snmp log file you were accessing and.

I am unfamiliar with AIX's log management.
http://www.web-manual.net/aix/managing-log-rotation-for-aix/

Avoid writing into the logs can be done in two ways, one way you can disable snmpd.* within the configuration in /etc/syslog.conf or a syslog variant.
Depending on which SNMP is in use, it may have an option not to record SNMP connection events.
0
 

Author Comment

by:andressk
ID: 38776018
Hi Rakesh,

It´s happening on all Linux boxes (red hat and ubuntu), not only on a specific one. The tool that we are using has not other configuration options for filtering, so, the change has to be done on the servers.

Thanks
0
 
LVL 5

Assisted Solution

by:Rakesh Madupu JNCIE-SP #02079 CCIE-SP#47613
Rakesh Madupu JNCIE-SP #02079 CCIE-SP#47613 earned 1000 total points
ID: 38776060
Well, the log looks like they are at Log level 6 which are informational, and it does not indicate any error on the system , but as per the below article ,if you are going to disable log level 6 logging ,you are going to miss out on many log level 6 messages as well. The following webpage was suggested by one of my friends in a quick chat . This might help you ,i do this everyday on a router and switch so this be possible on a server end, just that i have never done this before :)

http://www.stat.auckland.ac.nz/~kimihia/net-snmp

Regards
0
 

Author Comment

by:andressk
ID: 38776069
Hi Arnold,

Can you please give me a step by step process to avoid writing into the log on a Red Hat Enterprise Linux Server with snmpd enabled?

Thank you
0
 
LVL 79

Accepted Solution

by:
arnold earned 1000 total points
ID: 38776268
editor nano, vi
/etc/syslog.conf or /etc/rsyslog.conf

search for snmpd or the log filename to which the entry is currently being added
either change from snmpd.<something> to
snmpd.none  
ps -ef | grep syslog

if it is a file, comment the line out
#line with /var/log/snmp.log
0

Featured Post

Use Case: Protecting a Hybrid Cloud Infrastructure

Microsoft Azure is rapidly becoming the norm in dynamic IT environments. This document describes the challenges that organizations face when protecting data in a hybrid cloud IT environment and presents a use case to demonstrate how Acronis Backup protects all data.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

PRTG Network Monitor lets you monitor your bandwidth usage, so you know who is using up your bandwidth, and what they're using it for.
Google Drive is extremely cheap offsite storage, and it's even possible to get extra storage for free for two years.  You can use the free account 15GB, and if you have an Android device..when you install Google Drive for the first time it will give…
Learn how to get help with Linux/Unix bash shell commands. Use help to read help documents for built in bash shell commands.: Use man to interface with the online reference manuals for shell commands.: Use man to search man pages for unknown command…
Connecting to an Amazon Linux EC2 Instance from Windows Using PuTTY.
Suggested Courses

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question