Hi everyone, Can I please get a response on the query?
Regards, Gowtham On Tue, Sep 10, 2019, 21:20 Thommandra Gowtham <trgowtham...@gmail.com> wrote: > Hi > > I am using net-snmp 5.7.3 on Ubuntu and have a few questions regarding > logmatch trap > > - How can we get more information in a logmatch trap other than the > pattern matched? > > For example if we have below configuration > > logmatch loginFailure /var/log/auth.log 30 Failed password > monitor -r 10 -o logMatchName -o logMatchFileName -o logMatchCurrentCount > -o logMatchRegEx "Log Match" != logMatchCurrentCount > > we get the below trap > > DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (3774203) 10:29:02.03 > SNMPv2-MIB::snmpTrapOID.0 = OID: DISMAN-EVENT-MIB::mteTriggerFired > DISMAN-EVENT-MIB::mteHotTrigger.0 = STRING: Log Match > DISMAN-EVENT-MIB::mteHotTargetName.0 = STRING: > DISMAN-EVENT-MIB::mteHotContextName.0 = STRING: > DISMAN-EVENT-MIB::mteHotOID.0 = OID: UCD-SNMP-MIB::logMatchCurrentCount.1 > DISMAN-EVENT-MIB::mteHotValue.0 = INTEGER: 3 UCD-SNMP-MIB::logMatchName.1 = > STRING: loginFailure UCD-SNMP-MIB::logMatchFilename.1 = STRING: > /var/log/auth.log UCD-SNMP-MIB::logMatchCurrentCount.1 = INTEGER: 3 > UCD-SNMP-MIB::logMatchRegEx.1 = STRING: Failed password > > for the below message in auth.log > > Sep 5 19:51:43 sshd[23557]: Failed password for root from xx.xx.xx.xx > port 41569 ssh2 > > Tried with pattern in the config as well > > For the following config, > logmatch loginFailure /var/log/auth.log 30 Failed password for .* > > we get trap like below > DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (3022) 0:00:30.22 > SNMPv2-MIB::snmpTrapOID.0 = OID: DISMAN-EVENT-MIB::mteTriggerFired > DISMAN-EVENT-MIB::mteHotTrigger.0 = STRING: Log Match > DISMAN-EVENT-MIB::mteHotTargetName.0 = STRING: > DISMAN-EVENT-MIB::mteHotContextName.0 = STRING: > DISMAN-EVENT-MIB::mteHotOID.0 = OID: UCD-SNMP-MIB::logMatchCurrentCount.1 > DISMAN-EVENT-MIB::mteHotValue.0 = INTEGER: 9 UCD-SNMP-MIB::logMatchName.1 = > STRING: loginFailure UCD-SNMP-MIB::logMatchFilename.1 = STRING: > /var/log/auth.log UCD-SNMP-MIB::logMatchCurrentCount.1 = INTEGER: 9 > UCD-SNMP-MIB::logMatchRegEx.1 = STRING: Failed password .* > > Is it possible to get the user name in the string as part of the logmatch > trap? Like 'root' in above example. > > Thanks in advance. >
_______________________________________________ Net-snmp-users mailing list Net-snmp-users@lists.sourceforge.net Please see the following page to unsubscribe or change other options: https://lists.sourceforge.net/lists/listinfo/net-snmp-users