Eliminating SNMP “Connection from UDP” Messages

If your running a recent distribution of Linux and it’s being polled by SNMP, chances are you see a log of this in your logs:

Aug 23 08:20:43 myserver snmpd[951]: Connection from UDP: [192.168.0.1]:51832->[192.168.0.8]
Aug 23 08:20:43 myserver snmpd[951]: Connection from UDP: [192.168.0.1]:43120->[192.168.0.8]
Aug 23 08:20:43 myserver snmpd[951]: Connection from UDP: [192.168.0.1]:55987->[192.168.0.8]
Aug 23 08:20:43 myserver snmpd[951]: Connection from UDP: [192.168.0.1]:36068->[192.168.0.8]
Aug 23 08:20:43 myserver snmpd[951]: Connection from UDP: [192.168.0.1]:38750->[192.168.0.8]

While informative, it creates a lot of noise. There are different things you can do to get rid of it.

  • Disable snmpd’s logging completely. Not recommended.
  • Filter out the messages during log processing using third party tools (grep, sec, etc,ossec).
  • Tell snmpd to not print these messages.

I’m only going to describe the last option, changing snmpd’s logging options.

The file that need updating depends on your distribution.

RedHat/CentOS/Scientific Linux: /etc/sysconfig/snmpd
Debian/Ubuntu: /etc/defaults/snmpd

You want to look for the line that passes the command line options to snmpd.  On RedHat Enterprise 6 this looks like:

# snmpd command line options
# OPTIONS="-LS0-6d -Lf /dev/null -p /var/run/snmpd.pid"

The option to change is the -L option, that controls snmpd’s logging.  You want change the range from 0-6 to 0-5.  (On Redhat Enterprise 6 you also have to uncomment the line.)   The result looks like:

# snmpd command line options
OPTIONS="-LS0-5d -Lf /dev/null -p /var/run/snmpd.pid"

Restart snmpd and your done.

Remote logging with Syslog-NG

(This how-to is also available in the wiki. )

Prerequisites

This document only covers syslog-ng, so both the client and the server must have syslog-ng installed and properly functioning.

Step 1. Configuring the server.

  1. Open /etc/syslog-ng/syslog-ng.conf for editing.
  2. In the source section, add or un-comment the following line.udp(ip("0.0.0.0") port(514));
  3. Save and exit the file.
  4. Restart syslog-ng*.service syslog-ng restart

Step 2.  Configuring the client.

  1. Open /etc/syslog-ng/syslog-ng.conf for editing.
  2. Add a new destination that points to the syslog server.destination zenoss {udp("192.168.99.23" port(514));};
  3. Add a new log entry that uses the destination you just added.log { source(src); destination(zenoss); };
  4. Restart syslog-ng*.service syslog-ng restart

Syslog entries on the client will now also appear in the syslog of the server. *Some distributions use syslog instead of syslog-ng. SuSE Linux Enterprise is one of these.