Solved

SNMP logs on Linux

Posted on 2013-01-14
8
1,002 Views
Last Modified: 2013-01-21
Hello,
We have an issue with our Linux and HPUX boxes on the logs that are created by SNMP monitoring.

The logs are full of lines like this:

Jan  9 09:53:23 monitored server snmpd[7328]: Received SNMP packet(s) from UDP: [xx.xxx.xxx.xx]:62547
Jan  9 09:53:23 monitored server snmpd[7328]: Connection from UDP: [xx.xxx.xxx.xx]:62547
Jan  9 09:53:23 monitored server last message repeated 5 times
Jan  9 09:53:25 monitored server snmpd[7328]: Connection from UDP: [xx.xxx.xxx.xx]:54926
Jan  9 09:53:25 monitored server snmpd[7328]: Received SNMP packet(s) from UDP: [xx.xxx.xxx.xx]:54926
Jan  9 09:53:25 monitored server snmpd[7328]: Connection from UDP: [xx.xxx.xxx.xx]:54926
Jan  9 09:53:25 monitored server last message repeated 7 times
Jan  9 09:54:08 monitored server snmpd[7328]: Connection from UDP: [xx.xxx.xxx.xx]:52233
Jan  9 09:54:08 monitored server snmpd[7328]: Received SNMP packet(s) from UDP: [xx.xxx.xxx.xx]:52233
Jan  9 09:54:38 monitored server snmpd[7328]: Connection from UDP: [xx.xxx.xxx.xx]:49610
Jan  9 09:54:38 monitored server snmpd[7328]: Received SNMP packet(s) from UDP: [xx.xxx.xxx.xx]:49610
Jan  9 09:54:47 monitored server snmpd[7328]: Connection from UDP: [xx.xxx.xxx.xx]:61334
Jan  9 09:54:47 monitored server snmpd[7328]: Received SNMP packet(s) from UDP: [xx.xxx.xxx.xx]:61334
Jan  9 09:55:09 monitored server snmpd[7328]: Connection from UDP: [xx.xxx.xxx.xx]:64176
Jan  9 09:55:09 monitored server snmpd[7328]: Received SNMP packet(s) from UDP: [xx.xxx.xxx.xx]:64176
Jan  9 09:55:09 monitored server snmpd[7328]: Connection from UDP: [xx.xxx.xxx.xx]:64176
Jan  9 09:55:25 monitored server snmpd[7328]: Connection from UDP: [xx.xxx.xxx.xx]:51500
Jan  9 09:55:25 monitored server snmpd[7328]: Received SNMP packet(s) from UDP: [xx.xxx.xxx.xx]:51500
Jan  9 09:55:25 monitored server snmpd[7328]: Connection from UDP: [xx.xxx.xxx.xx]:51500
Jan  9 09:55:25 monitored server last message repeated 7 times
Jan  9 09:56:03 monitored server snmpd[7328]: Connection from UDP: [xx.xxx.xxx.xx]:59116


The issue is that the logs are getting full, so, I´d like to remove this logging on the monitored servers.
Thanks in advance for your help
0
Comment
Question by:andressk
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
  • 2
8 Comments
 
LVL 79

Expert Comment

by:arnold
ID: 38775672
The log entries suggest connections from remote system I.e. hp openview or something similar.

You need to make sure that you have a log rotation process in place to manage their size.
Is the IP reflected in the log the same?
Do the systems that are referenced have snmp monitoring, poling functions?
0
 

Author Comment

by:andressk
ID: 38775736
Hello Arnold,

Thanks for your reply.

Below are the answers:

Yes, the IP reflected in the log is the same of the monitoring tool.
No, the monitored boxes don´t have polling functions, they are only monitored by snmp for resources and for some processes.

How works the log rotation process or how can I avoid the writing on these logs?

Regards
0
 
LVL 5
ID: 38775781
Hello Andressk,

I see that you are looking for filtering out these messages , some thing like input filter. I am not much of a linux guy, but I am pretty sure, Your Device who ever is generating this log, should have a good capability to avoid sending this log message to this server. Can you let me know what sort of device is generating these logs , are they Linux/hp server itself , if thats the case the you should very well have a regex to filter the incoming log as well.

Regards
Rakesh M
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 79

Expert Comment

by:arnold
ID: 38775936
The monitoring function is a polling function.
i.e. polling means connecting via SNMP and requesting a specific parameter/s.

on Linux there is a logrotate /etc/logrotate.d
where you create a config file that will rotate the snmp log file you were accessing and.

I am unfamiliar with AIX's log management.
http://www.web-manual.net/aix/managing-log-rotation-for-aix/

Avoid writing into the logs can be done in two ways, one way you can disable snmpd.* within the configuration in /etc/syslog.conf or a syslog variant.
Depending on which SNMP is in use, it may have an option not to record SNMP connection events.
0
 

Author Comment

by:andressk
ID: 38776018
Hi Rakesh,

It´s happening on all Linux boxes (red hat and ubuntu), not only on a specific one. The tool that we are using has not other configuration options for filtering, so, the change has to be done on the servers.

Thanks
0
 
LVL 5

Assisted Solution

by:Rakesh Madupu JNCIE-SP #02079 CCIE-SP#47613
Rakesh Madupu JNCIE-SP #02079 CCIE-SP#47613 earned 250 total points
ID: 38776060
Well, the log looks like they are at Log level 6 which are informational, and it does not indicate any error on the system , but as per the below article ,if you are going to disable log level 6 logging ,you are going to miss out on many log level 6 messages as well. The following webpage was suggested by one of my friends in a quick chat . This might help you ,i do this everyday on a router and switch so this be possible on a server end, just that i have never done this before :)

http://www.stat.auckland.ac.nz/~kimihia/net-snmp

Regards
0
 

Author Comment

by:andressk
ID: 38776069
Hi Arnold,

Can you please give me a step by step process to avoid writing into the log on a Red Hat Enterprise Linux Server with snmpd enabled?

Thank you
0
 
LVL 79

Accepted Solution

by:
arnold earned 250 total points
ID: 38776268
editor nano, vi
/etc/syslog.conf or /etc/rsyslog.conf

search for snmpd or the log filename to which the entry is currently being added
either change from snmpd.<something> to
snmpd.none  
ps -ef | grep syslog

if it is a file, comment the line out
#line with /var/log/snmp.log
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Transparency shows that a company is the kind of business that it wants people to think it is.
Use of TCL script on Cisco devices:  - create file and merge it with running configuration to apply configuration changes
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…
Suggested Courses

630 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question