Create cleaner snmptrapd logs

_joe · ‎02-19-2020

Hello All,

I was wondering if there is a way to cleanup the key value pair logging inside of snmptrapd? I am ingesting these logs with a UF and I do not want to perform rex sed from my indexers. Thanks.

Here is my current format string

vi /etc/snmp/snmptrapd.conf
format2 Date = %y-%02.2m-%02.2l %02.2h:%02.2j:%02.2k\n%V\n%v\n---\n

My logs look like this:
CISCO-LWAPP-DOT11-CLIENT-MIB::cldcApMacAddress.'....6C' = mac-address
CISCO-LWAPP-DOT11-CLIENT-MIB::cldcClientByIpAddressType.0 = ipv4
CISCO-LWAPP-DOT11-CLIENT-MIB::cldcClientUsername.'@&....' = name
CISCO-LWAPP-DOT11-CLIENT-MIB::cldcClientSSID.'@&....' = Employee
CISCO-LWAPP-DOT11-CLIENT-MIB::cldcClientSessionID.'@&....' = id
CISCO-LWAPP-DOT11-CLIENT-MIB::cldcApMacAddress.'@&....' = mac

I would like them to look like this (before ingesting them into Splunk)
cldcApMacAddress = mac-address
cldcClientByIpAddressType = ipv4

If that isn't possible, I would at least like to remove the random characters (example: "@&...." and "'....6C'"). I am not sure why they are generating.

bgraabek_splunk · ‎02-20-2020

Perform the cleanup in, say, a looping script that writes the cleaned up events to a separate log file and then have the UF pick up events from that log file?

_joe · ‎02-24-2020

I appreciate the feedback. At that point, I will just use rex mode=sed though. I would like to know if it would be possible to do this in snmptrapd since, I am assuming, that would be most efficient.

Create cleaner snmptrapd logs

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases