Hello All,
I was wondering if there is a way to cleanup the key value pair logging inside of snmptrapd? I am ingesting these logs with a UF and I do not want to perform rex sed from my indexers. Thanks.
Here is my current format string
vi /etc/snmp/snmptrapd.conf
format2 Date = %y-%02.2m-%02.2l %02.2h:%02.2j:%02.2k\n%V\n%v\n---\n
My logs look like this:
CISCO-LWAPP-DOT11-CLIENT-MIB::cldcApMacAddress.'....6C' = mac-address
CISCO-LWAPP-DOT11-CLIENT-MIB::cldcClientByIpAddressType.0 = ipv4
CISCO-LWAPP-DOT11-CLIENT-MIB::cldcClientUsername.'@&....' = name
CISCO-LWAPP-DOT11-CLIENT-MIB::cldcClientSSID.'@&....' = Employee
CISCO-LWAPP-DOT11-CLIENT-MIB::cldcClientSessionID.'@&....' = id
CISCO-LWAPP-DOT11-CLIENT-MIB::cldcApMacAddress.'@&....' = mac
I would like them to look like this (before ingesting them into Splunk)
cldcApMacAddress = mac-address
cldcClientByIpAddressType = ipv4
If that isn't possible, I would at least like to remove the random characters (example: "@&...." and "'....6C'"). I am not sure why they are generating.
Perform the cleanup in, say, a looping script that writes the cleaned up events to a separate log file and then have the UF pick up events from that log file?
I appreciate the feedback. At that point, I will just use rex mode=sed though. I would like to know if it would be possible to do this in snmptrapd since, I am assuming, that would be most efficient.