Hi.
We use the snmp trap feature of syslogd, receiving and forwarding SNMP traps as syslog messages.
The following problem was discovered with syslogd 9.4.x. It is still present in 9.5.0, but slightly different. See update below.
The attached file shows two network packets captured with wireshark. Both packets appears to be completely valid packets, and also decodes perfectly with the appropriate mibs loaded in wireshark.
Kiwi syslogd somehow manages to mistreat one of the packets. This is illustrated below, where you can see that cldcClientMacAddress.0 reads as ‘L?XÉöh’ in one case, and ‘Hex String=70 18 8B 44 B3 4F’ in the other. Obviously, we prefer the latter parsing of the data.
This problem is very visible to us, as approximately one third to one half of all client MAC addresses are unintelligible in our logs.
The source of the messages are SNMPtraps from a Cisco WLC wireless controller.
The captured packets (in the attachment) are taken from the inbound snmptraps to the KIWI syslog server.
The Kiwi Display function shows the same corrupted MAC as shown below.
We have not managed to figure out any pattern in corrupted/noncorrupted packets.
Also the AP MAC address shows the same corruption. There is no obvious correlation between corruption of one or the other.
(I.e. if a client MAC is corrupted this does not imply that the AP MAC is corrupted and vice versa.)
We *think* a MAC address coming through as corrupted always comes through as corrupted.
UPDATE:
After having updated syslogd to 9.5.0, *all* MAC-addresses now arrives garbled. I do prefer consistency over randomness. But still....
I have found no way to decode the received text as a valid MAC address.
None of the options in the options under 'Input | SNMP' appear to have any impact on this issue.
Is this a bug, or an intended feature? If the latter, how am I meant to parse the received data?
From kiwi syslogd:
Client 4c:bb:58:90:94:68/10.115.170.85:
13:02:25 | community=kiwi201, enterprise=1.3.6.1.4.1.9.9.599.0.4, enterprise_mib_name=ciscoLwappDot11ClientMovedToRunState, uptime=2013100, agent_ip=10.120.5.205, version=Ver2, cldcClientMacAddress.0=L?XÉöh, cLApName.0=H-BERGEN-NGV-AP30, cldcApMacAddress.0=³¹¹?Ä, cLApDot11IfSlotId.0=0, cldcClientIPAddress.0=10.115.170.85, 1.3.6.1.4.1.9.9.599.1.3.1.1.27.0=username, 1.3.6.1.4.1.9.9.599.1.3.1.1.28.0=HFK-Skole
Client 70:18:8b:44:b3:4f/10.114.58.15:
13:05:59 | community=kiwi201, enterprise=1.3.6.1.4.1.9.9.599.0.4, enterprise_mib_name=ciscoLwappDot11ClientMovedToRunState, uptime=2034500, agent_ip=10.120.5.205, version=Ver2, cldcClientMacAddress.0="Hex String=70 18 8B 44 B3 4F", cLApName.0=H-LINDAS-KNV-AP38, cldcApMacAddress.0="Hex String=70 10 5C 93 D4 E0", cLApDot11IfSlotId.0=1, cldcClientIPAddress.0=10.114.58.15, 1.3.6.1.4.1.9.9.599.1.3.1.1.27.0=anotherusername, 1.3.6.1.4.1.9.9.599.1.3.1.1.28.0=HFK-Skole