当前位置: 文江博客话题详情

如何使用错误数据退出运行tcpdump的bash脚本

发布于 2025-02-06 13:14:05 字数 5552 浏览 2 评论 0原文

我有以下BASH脚本将TCPDUMP数据获取并将其(最终)输送到MySQL,以写入数据库。如果脚本崩溃,CRON每分钟一次运行一次管道输出,以检查TCPDUMP进程,并在必要时重新启动。

bash /usr/bin/uem_trap >>/var/log/uem.log 2>&1

该脚本确实会不时出现各种错误崩溃,并且我想在此过程中获取更多的详细信息,以便我可以改进脚本。

ERROR 1064 (42000) at line 1665: You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ',,,,,"",");

linux host.domain.com 3.10.0-1160.36.2.2.el7.x86_64#1 SMP Wed 21 7月21日11:57:15 UTC 2021 x86_64 x86_64 x86_64 x86_64 x86_64 gnu/linux Maria DB版本:10.2.40-mariadb

#!/bin/sh

if ps -ef | grep -v grep | grep '/usr/sbin/tcpdump -l -i ens192 -n -nn port snmptrap' ; then
    exit 0
else
    /usr/sbin/tcpdump -l -i ens192 -n -nn port snmptrap | stdbuf -i0 -o0 -e0 awk -F '( IP 1| +\\.1.3.6.1.([0-9]|\\.)+=)' '{gsub(/(^\"|\"$)/,"",$15); gsub(/\"/,"|",$15); gsub(/(^|$)/,"\"",$15); print "use uem; INSERT INTO uem_log (uem_dt, uem_num, uem_seq, category, entity, resource, severity, detect_time, message) VALUES (\"" $1 "\","  $3 "," $16 "," $7 "," $9 "," $10 "," $11 ",\"" $13 "\"," $15 ");\n"}' | stdbuf -i0 -o0 -e0 mysql --user=uuuu --password=pppp &
fi

,每个请求,几行TCPDUMP:

09:49:15.914587 IP 192.168.11.20.60751 > 10.74.251.198.162:  F= U="MotoNorth" E=_80_00_00_a1_03_00_0c_29_5e_74_32 C="" V2Trap(448)  .1.3.6.1.2.1.1.3.0=568989040 .1.3.6.1.6.3.1.1.4.1.0=.1.3.6.1.4.1.161.3.10.104.1 .1.3.6.1.4.1.161.3.10.105.3.0=55420744 .1.3.6.1.4.1.161.3.10.105.4.0="PortStatusClear" .1.3.6.1.4.1.161.3.10.105.5.0=4 .1.3.6.1.4.1.161.3.10.105.6.0="10.201.8.240:port:16" .1.3.6.1.4.1.161.3.10.105.7.0="16" .1.3.6.1.4.1.161.3.10.105.8.0="cs01l008s1.convloc8.csub1.ucs" .1.3.6.1.4.1.161.3.10.105.9.0=6 .1.3.6.1.4.1.161.3.10.105.10.0="10.201.8.240:HpSwitch2620-24" .1.3.6.1.4.1.161.3.10.105.11.0=07_e6_06_0a_09_31_0f_08_2d_05_00 .1.3.6.1.4.1.161.3.10.105.12.0=07_b2_01_01_00_00_00_00_2b_00_00 .1.3.6.1.4.1.161.3.10.105.13.0="Port state is UP" .1.3.6.1.4.1.161.3.10.105.19.0=7901418 .1.3.6.1.4.1.161.3.10.105.20.0="10.201.8.240"
09:49:15.915396 IP 192.168.11.20.60751 > 10.74.251.198.162:  F= U="MotoNorth" E=_80_00_00_a1_03_00_0c_29_5e_74_32 C="" V2Trap(536)  .1.3.6.1.2.1.1.3.0=568989040 .1.3.6.1.6.3.1.1.4.1.0=.1.3.6.1.4.1.161.3.10.104.1 .1.3.6.1.4.1.161.3.10.105.3.0=55420745 .1.3.6.1.4.1.161.3.10.105.4.0=".1.3.6.1.4.1.11.2.3.7.11.129.0.2" .1.3.6.1.4.1.161.3.10.105.5.0=256 .1.3.6.1.4.1.161.3.10.105.6.0="10.201.8.240" .1.3.6.1.4.1.161.3.10.105.7.0="10.201.8.240" .1.3.6.1.4.1.161.3.10.105.8.0="cs01l008s1.convloc8.csub1.ucs" .1.3.6.1.4.1.161.3.10.105.9.0=7 .1.3.6.1.4.1.161.3.10.105.10.0="10.201.8.240:HpSwitch2620-24" .1.3.6.1.4.1.161.3.10.105.11.0=07_e6_06_0a_09_31_0f_08_2d_05_00 .1.3.6.1.4.1.161.3.10.105.12.0=07_b2_01_01_00_00_00_00_2b_00_00 .1.3.6.1.4.1.161.3.10.105.13.0="HP Networking 2620-24 Trap - I 06/10/22 14:49:12 00076 ports: port 16 is now on-line" .1.3.6.1.4.1.161.3.10.105.19.0=7901419 .1.3.6.1.4.1.161.3.10.105.20.0="10.201.8.240"
09:49:17.938223 IP 192.168.11.20.60751 > 10.74.251.198.162:  F= U="MotoNorth" E=_80_00_00_a1_03_00_0c_29_5e_74_32 C="" V2Trap(493)  .1.3.6.1.2.1.1.3.0=568989243 .1.3.6.1.6.3.1.1.4.1.0=.1.3.6.1.4.1.161.3.10.104.1 .1.3.6.1.4.1.161.3.10.105.3.0=55420746 .1.3.6.1.4.1.161.3.10.105.4.0="zc_trunked_site_channel.1.1" .1.3.6.1.4.1.161.3.10.105.5.0=11 .1.3.6.1.4.1.161.3.10.105.6.0="MZC-1:zc_trunked_site_channel:60.4" .1.3.6.1.4.1.161.3.10.105.7.0="Trunked Site Channel 4" .1.3.6.1.4.1.161.3.10.105.8.0="Site 60 at zone1" .1.3.6.1.4.1.161.3.10.105.9.0=6 .1.3.6.1.4.1.161.3.10.105.10.0="MZC-1:ZCcallProcessingSubsystemSite:60" .1.3.6.1.4.1.161.3.10.105.11.0=07_e6_06_0a_09_31_11_09_2d_05_00 .1.3.6.1.4.1.161.3.10.105.12.0=07_e6_06_0a_09_31_11_00_2d_05_00 .1.3.6.1.4.1.161.3.10.105.13.0="ENABLED, NO REASON" .1.3.6.1.4.1.161.3.10.105.19.0=7901420 .1.3.6.1.4.1.161.3.10.105.20.0="10.1.233.100"
09:49:22.886594 IP 192.168.11.20.60751 > 10.74.251.198.162:  F= U="MotoNorth" E=_80_00_00_a1_03_00_0c_29_5e_74_32 C="" V2Trap(644)  .1.3.6.1.2.1.1.3.0=568989738 .1.3.6.1.6.3.1.1.4.1.0=.1.3.6.1.4.1.161.3.10.104.1 .1.3.6.1.4.1.161.3.10.105.3.0=55420747 .1.3.6.1.4.1.161.3.10.105.4.0=".1.3.6.1.2.1.14.16.2.10.1" .1.3.6.1.4.1.161.3.10.105.5.0=256 .1.3.6.1.4.1.161.3.10.105.6.0="10.1.253.202" .1.3.6.1.4.1.161.3.10.105.7.0="10.1.253.202" .1.3.6.1.4.1.161.3.10.105.8.0="z001edge02.zone1" .1.3.6.1.4.1.161.3.10.105.9.0=7 .1.3.6.1.4.1.161.3.10.105.10.0="10.1.253.202:FMT_juniper-1500" .1.3.6.1.4.1.161.3.10.105.11.0=07_e6_06_0a_09_31_16_08_2d_05_00 .1.3.6.1.4.1.161.3.10.105.12.0=07_b2_01_01_00_00_00_00_2b_00_00 .1.3.6.1.4.1.161.3.10.105.13.0="OSPF packet has been retransmitted on a non- virtual interface. All packets that may be re- transmitted are associated with an LSDB entry. The LS type, LS ID, and Router ID are used to identify the LSDB entry." .1.3.6.1.4.1.161.3.10.105.19.0=7901421 .1.3.6.1.4.1.161.3.10.105.20.0="10.1.253.202"

更新6/10 14:27:我时不时地发现,当一台设备发送一些带有大消息的陷阱时,我会得到这些:

10:26:14.969355 IP 192.168.11.20.60751 > 10.74.251.198.snmptrap:  [len1468<asnlen2143]
10:26:14.970131 IP 192.168.11.20.60751 > 10.74.251.198.snmptrap:  [len1468<asnlen2042]
10:26:15.179580 IP 192.168.11.20.60751 > 10.74.251.198.snmptrap:  [len1468<asnlen2225]
10:26:15.290469 IP 192.168.11.20.60751 > 10.74.251.198.snmptrap:  [len1468<asnlen2338]

我有将捕获尺寸提高到2500。我们将观看并查看会发生什么。

/usr/sbin/tcpdump -s 2500 -l -i ens192 -n -nn port snmptrap...
原文

I have the following bash script that takes tcpdump data and pipes it (eventually) to mysql to be written to a database. In case the script crashes, cron runs with piped output once a minute to check for the tcpdump process and restart it if necessary.

bash /usr/bin/uem_trap >>/var/log/uem.log 2>&1

The script does crash from time to time with various errors and I'd like to get more verbose information when it does so that I can improve the script.

ERROR 1064 (42000) at line 1665: You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ',,,,,"",");

Linux host.domain.com 3.10.0-1160.36.2.el7.x86_64 #1 SMP Wed Jul 21 11:57:15 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
Maria DB version: 10.2.40-MariaDB

#!/bin/sh

if ps -ef | grep -v grep | grep '/usr/sbin/tcpdump -l -i ens192 -n -nn port snmptrap' ; then
    exit 0
else
    /usr/sbin/tcpdump -l -i ens192 -n -nn port snmptrap | stdbuf -i0 -o0 -e0 awk -F '( IP 1| +\\.1.3.6.1.([0-9]|\\.)+=)' '{gsub(/(^\"|\"$)/,"",$15); gsub(/\"/,"|",$15); gsub(/(^|$)/,"\"",$15); print "use uem; INSERT INTO uem_log (uem_dt, uem_num, uem_seq, category, entity, resource, severity, detect_time, message) VALUES (\"" $1 "\","  $3 "," $16 "," $7 "," $9 "," $10 "," $11 ",\"" $13 "\"," $15 ");\n"}' | stdbuf -i0 -o0 -e0 mysql --user=uuuu --password=pppp &
fi

per request, a few lines of tcpdump:

09:49:15.914587 IP 192.168.11.20.60751 > 10.74.251.198.162:  F= U="MotoNorth" E=_80_00_00_a1_03_00_0c_29_5e_74_32 C="" V2Trap(448)  .1.3.6.1.2.1.1.3.0=568989040 .1.3.6.1.6.3.1.1.4.1.0=.1.3.6.1.4.1.161.3.10.104.1 .1.3.6.1.4.1.161.3.10.105.3.0=55420744 .1.3.6.1.4.1.161.3.10.105.4.0="PortStatusClear" .1.3.6.1.4.1.161.3.10.105.5.0=4 .1.3.6.1.4.1.161.3.10.105.6.0="10.201.8.240:port:16" .1.3.6.1.4.1.161.3.10.105.7.0="16" .1.3.6.1.4.1.161.3.10.105.8.0="cs01l008s1.convloc8.csub1.ucs" .1.3.6.1.4.1.161.3.10.105.9.0=6 .1.3.6.1.4.1.161.3.10.105.10.0="10.201.8.240:HpSwitch2620-24" .1.3.6.1.4.1.161.3.10.105.11.0=07_e6_06_0a_09_31_0f_08_2d_05_00 .1.3.6.1.4.1.161.3.10.105.12.0=07_b2_01_01_00_00_00_00_2b_00_00 .1.3.6.1.4.1.161.3.10.105.13.0="Port state is UP" .1.3.6.1.4.1.161.3.10.105.19.0=7901418 .1.3.6.1.4.1.161.3.10.105.20.0="10.201.8.240"
09:49:15.915396 IP 192.168.11.20.60751 > 10.74.251.198.162:  F= U="MotoNorth" E=_80_00_00_a1_03_00_0c_29_5e_74_32 C="" V2Trap(536)  .1.3.6.1.2.1.1.3.0=568989040 .1.3.6.1.6.3.1.1.4.1.0=.1.3.6.1.4.1.161.3.10.104.1 .1.3.6.1.4.1.161.3.10.105.3.0=55420745 .1.3.6.1.4.1.161.3.10.105.4.0=".1.3.6.1.4.1.11.2.3.7.11.129.0.2" .1.3.6.1.4.1.161.3.10.105.5.0=256 .1.3.6.1.4.1.161.3.10.105.6.0="10.201.8.240" .1.3.6.1.4.1.161.3.10.105.7.0="10.201.8.240" .1.3.6.1.4.1.161.3.10.105.8.0="cs01l008s1.convloc8.csub1.ucs" .1.3.6.1.4.1.161.3.10.105.9.0=7 .1.3.6.1.4.1.161.3.10.105.10.0="10.201.8.240:HpSwitch2620-24" .1.3.6.1.4.1.161.3.10.105.11.0=07_e6_06_0a_09_31_0f_08_2d_05_00 .1.3.6.1.4.1.161.3.10.105.12.0=07_b2_01_01_00_00_00_00_2b_00_00 .1.3.6.1.4.1.161.3.10.105.13.0="HP Networking 2620-24 Trap - I 06/10/22 14:49:12 00076 ports: port 16 is now on-line" .1.3.6.1.4.1.161.3.10.105.19.0=7901419 .1.3.6.1.4.1.161.3.10.105.20.0="10.201.8.240"
09:49:17.938223 IP 192.168.11.20.60751 > 10.74.251.198.162:  F= U="MotoNorth" E=_80_00_00_a1_03_00_0c_29_5e_74_32 C="" V2Trap(493)  .1.3.6.1.2.1.1.3.0=568989243 .1.3.6.1.6.3.1.1.4.1.0=.1.3.6.1.4.1.161.3.10.104.1 .1.3.6.1.4.1.161.3.10.105.3.0=55420746 .1.3.6.1.4.1.161.3.10.105.4.0="zc_trunked_site_channel.1.1" .1.3.6.1.4.1.161.3.10.105.5.0=11 .1.3.6.1.4.1.161.3.10.105.6.0="MZC-1:zc_trunked_site_channel:60.4" .1.3.6.1.4.1.161.3.10.105.7.0="Trunked Site Channel 4" .1.3.6.1.4.1.161.3.10.105.8.0="Site 60 at zone1" .1.3.6.1.4.1.161.3.10.105.9.0=6 .1.3.6.1.4.1.161.3.10.105.10.0="MZC-1:ZCcallProcessingSubsystemSite:60" .1.3.6.1.4.1.161.3.10.105.11.0=07_e6_06_0a_09_31_11_09_2d_05_00 .1.3.6.1.4.1.161.3.10.105.12.0=07_e6_06_0a_09_31_11_00_2d_05_00 .1.3.6.1.4.1.161.3.10.105.13.0="ENABLED, NO REASON" .1.3.6.1.4.1.161.3.10.105.19.0=7901420 .1.3.6.1.4.1.161.3.10.105.20.0="10.1.233.100"
09:49:22.886594 IP 192.168.11.20.60751 > 10.74.251.198.162:  F= U="MotoNorth" E=_80_00_00_a1_03_00_0c_29_5e_74_32 C="" V2Trap(644)  .1.3.6.1.2.1.1.3.0=568989738 .1.3.6.1.6.3.1.1.4.1.0=.1.3.6.1.4.1.161.3.10.104.1 .1.3.6.1.4.1.161.3.10.105.3.0=55420747 .1.3.6.1.4.1.161.3.10.105.4.0=".1.3.6.1.2.1.14.16.2.10.1" .1.3.6.1.4.1.161.3.10.105.5.0=256 .1.3.6.1.4.1.161.3.10.105.6.0="10.1.253.202" .1.3.6.1.4.1.161.3.10.105.7.0="10.1.253.202" .1.3.6.1.4.1.161.3.10.105.8.0="z001edge02.zone1" .1.3.6.1.4.1.161.3.10.105.9.0=7 .1.3.6.1.4.1.161.3.10.105.10.0="10.1.253.202:FMT_juniper-1500" .1.3.6.1.4.1.161.3.10.105.11.0=07_e6_06_0a_09_31_16_08_2d_05_00 .1.3.6.1.4.1.161.3.10.105.12.0=07_b2_01_01_00_00_00_00_2b_00_00 .1.3.6.1.4.1.161.3.10.105.13.0="OSPF packet has been retransmitted on a non- virtual interface. All packets that may be re- transmitted are associated with an LSDB entry. The LS type, LS ID, and Router ID are used to identify the LSDB entry." .1.3.6.1.4.1.161.3.10.105.19.0=7901421 .1.3.6.1.4.1.161.3.10.105.20.0="10.1.253.202"

UPDATE 6/10 14:27: I discovered that every now and then I get these when one device sends a few traps with a large message:

10:26:14.969355 IP 192.168.11.20.60751 > 10.74.251.198.snmptrap:  [len1468<asnlen2143]
10:26:14.970131 IP 192.168.11.20.60751 > 10.74.251.198.snmptrap:  [len1468<asnlen2042]
10:26:15.179580 IP 192.168.11.20.60751 > 10.74.251.198.snmptrap:  [len1468<asnlen2225]
10:26:15.290469 IP 192.168.11.20.60751 > 10.74.251.198.snmptrap:  [len1468<asnlen2338]

I have increased the capture size to 2500. We'll watch and see what happens.

/usr/sbin/tcpdump -s 2500 -l -i ens192 -n -nn port snmptrap...

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(1

执妄 2025-02-13 13:14:05

似乎在内部引用awk脚本。
使用静态字符串进行测试,该静态字符串模拟snmptrap

read -r -d '' snmpstr <<'EOFS'
11:47:50.905818 IP 10.10.201.27.56503 > 10.10.202.11.162:  V2Trap(138)  .1.3.6.1.2.1.1.3.0=791308 .1.3.6.1.6.3.1.1.4.1.0=.1.3.6.1.6.3.1.1.5.4 .1.3.6.1.2.1.2.2.1.1.1=1 .1.3.6.1.2.1.2.2.1.2.1="FastEthernet0/0" .1.3.6.1.2.1.2.2.1.3.1=6 .1.3.6.1.4.1.9.2.2.1.1.20.1="up"
10:59:17.614465 IP 10.25.5.20.43471 > 10.25.5.30.snmptrap:  V2Trap(185)  .1.3.6.1.2.1.1.3.0=155084 .1.3.6.1.6.3.1.1.4.1.0=.1.3.6.1.4.1.20006.1.7 .1.3.6.1.4.1.20006.1.3.1.2="CentOS" .1.3.6.1.4.1.20006.1.3.1.6="Users" .1.3.6.1.4.1.20006.1.3.1.7=1 .1.3.6.1.4.1.20006.1.3.1.17="USERS WARNING - 1 users currently logged in"
EOFS
 
    echo "$snmpstr" | stdbuf -i0 -o0 -e0 awk -F '( IP 1| +\\.1.3.6.1.([0-9]|\\.)+=)' '{gsub(/(^\"|\"$)/,"",$15); gsub(/\"/,"|",$15); gsub(/(^|$)/,"\"",$15); print "use uem; INSERT INTO uem_log (uem_dt, uem_num, uem_seq, category, entity, resource, severity, detect_time, message) VALUES (\"" $1 "\","  $3 "," $16 "," $7 "," $9 "," $10 "," $11 ",\"" $13 "\"," $15 ");\n" }'

结果类似于OP的SQL报告错误,因为输入中缺少字段

use uem; INSERT INTO uem_log (uem_dt, uem_num, uem_seq, category, entity, resource, severity, detect_time, message) VALUES ("11:47:50.905818",791308,,6,,,,"",");

use uem; INSERT INTO uem_log (uem_dt, uem_num, uem_seq, category, entity, resource, severity, detect_time, message) VALUES ("10:59:17.614465",155084,,1,,,,"",");

,如果SQL查询已将其移至带有printf

read -r -d '' snmpstr <<'EOFS'
11:47:50.905818 IP 10.10.201.27.56503 > 10.10.202.11.162:  V2Trap(138)  .1.3.6.1.2.1.1.3.0=791308 .1.3.6.1.6.3.1.1.4.1.0=.1.3.6.1.6.3.1.1.5.4 .1.3.6.1.2.1.2.2.1.1.1=1 .1.3.6.1.2.1.2.2.1.2.1="FastEthernet0/0" .1.3.6.1.2.1.2.2.1.3.1=777 .1.3.6.1.4.1.9.2.2.1.1.20.1="up" .1.3.6.1.2.1.1.3.0=999 .1.3.6.1.2.1.1.3.0=101010 .1.3.6.1.2.1.1.3.0=111111 .1.3.6.1.2.1.1.3.0=121212 .1.3.6.1.2.1.1.3.0=field13 .1.3.6.1.2.1.1.3.0=141414 .1.3.6.1.2.1.1.3.0=151515 .1.3.6.1.2.1.1.3.0=161616
10:59:17.614465 IP 10.25.5.20.43471 > 10.25.5.30.snmptrap:  V2Trap(185)  .1.3.6.1.2.1.1.3.0=155084 .1.3.6.1.6.3.1.1.4.1.0=.1.3.6.1.4.1.20006.1.7 .1.3.6.1.4.1.20006.1.3.1.2="CentOS" .1.3.6.1.4.1.20006.1.3.1.6="Users" .1.3.6.1.4.1.20006.1.3.1.7=777 .1.3.6.1.4.1.20006.1.3.1.17="USERS WARNING - 1 users currently logged in" .1.3.6.1.2.1.1.3.0=999 .1.3.6.1.2.1.1.3.0=101010 .1.3.6.1.2.1.1.3.0=111111 .1.3.6.1.2.1.1.3.0=121212 .1.3.6.1.2.1.1.3.0=field13 .1.3.6.1.2.1.1.3.0=141414 .1.3.6.1.2.1.1.3.0=151515 .1.3.6.1.2.1.1.3.0=161616
EOFS

sql='use uem; INSERT INTO uem_log (uem_dt, uem_num, uem_seq, category, entity, resource, severity, detect_time, message) VALUES ("%s",%d,%d,%d,%d,%d,%d,"%s",%s);\n'
echo "$snmpstr" | stdbuf -i0 -o0 -e0 awk -v sql="$sql" -F '( IP 1| +\\.1.3.6.1.([0-9]|\\.)+=)' '{gsub(/(^\"|\"$)/,"",$15); gsub(/\"/,"|",$15); gsub(/(^|$)/,"\"",$15); printf sql,$1,$3,$16,$7,$9,$10,$11,$13, $15 }'

# uncomment this line to print debug found fields
#echo "$snmpstr" | awk -v sql="$sql" -F '( IP 1| +\\.1.3.6.1.([0-9]|\\.)+=)' 'BEGIN{OFS=" ¬ "} {gsub(/(^\"|\"$)/,"",$15); gsub(/\"/,"|",$15); gsub(/(^|$)/,"\"",$15); print "1:" $1, "3:" $3, "16:" $16, "7:" $7, "9:" $9, "10:" $10, "11:" $11, "13:" $13, "15:" $15 }'

结果

use uem; INSERT INTO uem_log (uem_dt, uem_num, uem_seq, category, entity, resource, severity, detect_time, message) VALUES ("11:47:50.905818",791308,161616,777,999,101010,111111,"field13","151515");
use uem; INSERT INTO uem_log (uem_dt, uem_num, uem_seq, category, entity, resource, severity, detect_time, message) VALUES ("10:59:17.614465",155084,161616,777,999,101010,111111,"field13","151515");

通过检查awk的数量,可以避免 不完整的记录。
记录

if(NF >= 16){ printf sql,$1,$3,$16,$7,$9,$10,$11,$13,$15 } else { print "Incomplete snmptrap record: " $0 > "/dev/stderr" }

Seems there's a problem with quoting inside awkscript.
Testing with a static string that simulates a snmptrap:

read -r -d '' snmpstr <<'EOFS'
11:47:50.905818 IP 10.10.201.27.56503 > 10.10.202.11.162:  V2Trap(138)  .1.3.6.1.2.1.1.3.0=791308 .1.3.6.1.6.3.1.1.4.1.0=.1.3.6.1.6.3.1.1.5.4 .1.3.6.1.2.1.2.2.1.1.1=1 .1.3.6.1.2.1.2.2.1.2.1="FastEthernet0/0" .1.3.6.1.2.1.2.2.1.3.1=6 .1.3.6.1.4.1.9.2.2.1.1.20.1="up"
10:59:17.614465 IP 10.25.5.20.43471 > 10.25.5.30.snmptrap:  V2Trap(185)  .1.3.6.1.2.1.1.3.0=155084 .1.3.6.1.6.3.1.1.4.1.0=.1.3.6.1.4.1.20006.1.7 .1.3.6.1.4.1.20006.1.3.1.2="CentOS" .1.3.6.1.4.1.20006.1.3.1.6="Users" .1.3.6.1.4.1.20006.1.3.1.7=1 .1.3.6.1.4.1.20006.1.3.1.17="USERS WARNING - 1 users currently logged in"
EOFS
 
    echo "$snmpstr" | stdbuf -i0 -o0 -e0 awk -F '( IP 1| +\\.1.3.6.1.([0-9]|\\.)+=)' '{gsub(/(^\"|\"$)/,"",$15); gsub(/\"/,"|",$15); gsub(/(^|$)/,"\"",$15); print "use uem; INSERT INTO uem_log (uem_dt, uem_num, uem_seq, category, entity, resource, severity, detect_time, message) VALUES (\"" $1 "\","  $3 "," $16 "," $7 "," $9 "," $10 "," $11 ",\"" $13 "\"," $15 ");\n" }'

Result similar to OP's SQL reported error due to missing fields in input

use uem; INSERT INTO uem_log (uem_dt, uem_num, uem_seq, category, entity, resource, severity, detect_time, message) VALUES ("11:47:50.905818",791308,,6,,,,"",");

use uem; INSERT INTO uem_log (uem_dt, uem_num, uem_seq, category, entity, resource, severity, detect_time, message) VALUES ("10:59:17.614465",155084,,1,,,,"",");

Now if SQL query is moved to an external variable with printf formatters, it works better and code is more readable. Testing with all fields present

read -r -d '' snmpstr <<'EOFS'
11:47:50.905818 IP 10.10.201.27.56503 > 10.10.202.11.162:  V2Trap(138)  .1.3.6.1.2.1.1.3.0=791308 .1.3.6.1.6.3.1.1.4.1.0=.1.3.6.1.6.3.1.1.5.4 .1.3.6.1.2.1.2.2.1.1.1=1 .1.3.6.1.2.1.2.2.1.2.1="FastEthernet0/0" .1.3.6.1.2.1.2.2.1.3.1=777 .1.3.6.1.4.1.9.2.2.1.1.20.1="up" .1.3.6.1.2.1.1.3.0=999 .1.3.6.1.2.1.1.3.0=101010 .1.3.6.1.2.1.1.3.0=111111 .1.3.6.1.2.1.1.3.0=121212 .1.3.6.1.2.1.1.3.0=field13 .1.3.6.1.2.1.1.3.0=141414 .1.3.6.1.2.1.1.3.0=151515 .1.3.6.1.2.1.1.3.0=161616
10:59:17.614465 IP 10.25.5.20.43471 > 10.25.5.30.snmptrap:  V2Trap(185)  .1.3.6.1.2.1.1.3.0=155084 .1.3.6.1.6.3.1.1.4.1.0=.1.3.6.1.4.1.20006.1.7 .1.3.6.1.4.1.20006.1.3.1.2="CentOS" .1.3.6.1.4.1.20006.1.3.1.6="Users" .1.3.6.1.4.1.20006.1.3.1.7=777 .1.3.6.1.4.1.20006.1.3.1.17="USERS WARNING - 1 users currently logged in" .1.3.6.1.2.1.1.3.0=999 .1.3.6.1.2.1.1.3.0=101010 .1.3.6.1.2.1.1.3.0=111111 .1.3.6.1.2.1.1.3.0=121212 .1.3.6.1.2.1.1.3.0=field13 .1.3.6.1.2.1.1.3.0=141414 .1.3.6.1.2.1.1.3.0=151515 .1.3.6.1.2.1.1.3.0=161616
EOFS

sql='use uem; INSERT INTO uem_log (uem_dt, uem_num, uem_seq, category, entity, resource, severity, detect_time, message) VALUES ("%s",%d,%d,%d,%d,%d,%d,"%s",%s);\n'
echo "$snmpstr" | stdbuf -i0 -o0 -e0 awk -v sql="$sql" -F '( IP 1| +\\.1.3.6.1.([0-9]|\\.)+=)' '{gsub(/(^\"|\"$)/,"",$15); gsub(/\"/,"|",$15); gsub(/(^|$)/,"\"",$15); printf sql,$1,$3,$16,$7,$9,$10,$11,$13, $15 }'

# uncomment this line to print debug found fields
#echo "$snmpstr" | awk -v sql="$sql" -F '( IP 1| +\\.1.3.6.1.([0-9]|\\.)+=)' 'BEGIN{OFS=" ¬ "} {gsub(/(^\"|\"$)/,"",$15); gsub(/\"/,"|",$15); gsub(/(^|$)/,"\"",$15); print "1:" $1, "3:" $3, "16:" $16, "7:" $7, "9:" $9, "10:" $10, "11:" $11, "13:" $13, "15:" $15 }'

Result

use uem; INSERT INTO uem_log (uem_dt, uem_num, uem_seq, category, entity, resource, severity, detect_time, message) VALUES ("11:47:50.905818",791308,161616,777,999,101010,111111,"field13","151515");
use uem; INSERT INTO uem_log (uem_dt, uem_num, uem_seq, category, entity, resource, severity, detect_time, message) VALUES ("10:59:17.614465",155084,161616,777,999,101010,111111,"field13","151515");

Incomplete records could be avoided by checking the number of awk
records

if(NF >= 16){ printf sql,$1,$3,$16,$7,$9,$10,$11,$13,$15 } else { print "Incomplete snmptrap record: " $0 > "/dev/stderr" }
回复 原文
~没有更多了~

关于作者

柏拉图鍀咏恒

暂无简介

文章
评论
28 人气
发私信

相关话题

更多

热门标签

操作系统 程序设计 IT运维 Linux系统管理 JavaScript 服务器应用 solaris C/C++ PHP Shell BSD Vue.js aix Oracle Python HTML 系统管理 HTML5 CSS 前端
更多

推荐作者

alipaysp_snBf0MSZIv

文章 0 评论 0

梦断已成空

文章 0 评论 0

瞎闹

文章 0 评论 0

凯凯我们等你回来

文章 0 评论 0

寄意

文章 0 评论 0

似梦非梦

文章 0 评论 0

更多

友情链接

文江博客
    我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
    原文