bug: processed SNMP traps persist subject name instead of trap message #3130

New issue

Closed

opened 2026-04-06 06:08:35 +00:00 by mfreeman451 · 0 comments

mfreeman451 commented 2026-04-06 06:08:35 +00:00

Owner

Copy link

Summary

SNMP trap log records in Observability are persisting the subject name logs.snmp.processed as the message body instead of the trap text extracted from the trap varbinds.

Evidence

• Demo query: https://demo.serviceradar.cloud/observability?q=in%3Alogs+time%3Alast_7d+sort%3Atimestamp%3Adesc+limit%3A20+source%3Asnmp&limit=20&tab=logs
• Example log detail: https://demo.serviceradar.cloud/logs/e82773c6-7938-422e-b344-59a688dba2f8

Observed behavior

• SNMP trap records show a generic subject fallback instead of the actual trap message.
• The log detail view therefore surfaces the placeholder value rather than the first meaningful varbind text.

Expected behavior

• Processed SNMP traps should persist a normalized body that contains the trap message text derived from the trap payload.
• If the incoming trap payload omits body, the normalization path should still derive one from the first meaningful varbind instead of falling back to the NATS subject.

Likely root cause

• rust/trapd publishes SNMP traps without a top-level body field.
• The seeded snmp_severity Zen template only rewrites body when body == 'logs.snmp.processed' or body == ''.
• When body is missing/null during Zen evaluation, the expression leaves it unset.
• The DB event-writer then falls back to the subject string logs.snmp.processed.

Suggested scope

• Update SNMP trap normalization so missing/null body is treated the same as the existing empty/sentinel fallback path.
• Add regression coverage for the missing-body case in the SNMP rule/template tests and downstream log parsing path.

## Summary SNMP trap log records in Observability are persisting the subject name `logs.snmp.processed` as the message body instead of the trap text extracted from the trap varbinds. ## Evidence - Demo query: https://demo.serviceradar.cloud/observability?q=in%3Alogs+time%3Alast_7d+sort%3Atimestamp%3Adesc+limit%3A20+source%3Asnmp&limit=20&tab=logs - Example log detail: https://demo.serviceradar.cloud/logs/e82773c6-7938-422e-b344-59a688dba2f8 ## Observed behavior - SNMP trap records show a generic subject fallback instead of the actual trap message. - The log detail view therefore surfaces the placeholder value rather than the first meaningful varbind text. ## Expected behavior - Processed SNMP traps should persist a normalized `body` that contains the trap message text derived from the trap payload. - If the incoming trap payload omits `body`, the normalization path should still derive one from the first meaningful varbind instead of falling back to the NATS subject. ## Likely root cause - `rust/trapd` publishes SNMP traps without a top-level `body` field. - The seeded `snmp_severity` Zen template only rewrites `body` when `body == 'logs.snmp.processed'` or `body == ''`. - When `body` is missing/null during Zen evaluation, the expression leaves it unset. - The DB event-writer then falls back to the subject string `logs.snmp.processed`. ## Suggested scope - Update SNMP trap normalization so missing/null `body` is treated the same as the existing empty/sentinel fallback path. - Add regression coverage for the missing-body case in the SNMP rule/template tests and downstream log parsing path.

mfreeman451 referenced this issue from a commit 2026-04-06 06:30:59 +00:00

fix: normalize SNMP trap bodies (#3130)

mfreeman451 referenced this issue from a pull request that will close it, 2026-04-06 06:31:17 +00:00

fix: normalize SNMP trap bodies #3131

mfreeman451 closed this issue 2026-04-06 06:31:25 +00:00

mfreeman451 referenced this issue from a commit 2026-04-06 06:31:27 +00:00

fix: normalize SNMP trap bodies (#3131)

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

staging

add-signed-wasm-plugin-import

fix-coraza-log-db-writer

fix-log-viewer-syslog-processed

plan-fieldsurvey-spatial-selection

plan-envoy-coraza-waf

plan-alienvault-otx-integration

plan-fieldsurvey-sidekick-daemon

cleanup-openspec-archive-closed-proposals

bug-core-elx-ip-enrichment-reap

fix-release-libcap2-pin-v125

fix-camera-stream-gateway-route

add-core-elx-prometheus-metrics

renovate/debian_testing_slim-testing-slim

renovate/debian_bookworm_slim-bookworm-slim

add-serviceradar-observability-dashboards

add-pgbouncer-helm-cnpg

renovate/ghcr.io-actions-actions-runner

renovate/actions_runner

feat/cluster-agent-runtime-metadata-stability

feat/observability-shell-standardization

feat/observability-live-log-toggle

fix/mtr-bulk-queue-and-srql-targets

fix/mtr-profile-protocol-keyerror

fix/mtr-diagnostics-keyerror

add-demo-rollout-skills

fix-web-ng-test-support-dialyzer

fix-web-ng-dialyzer-findings

add-bulk-queued-mtr-diagnostics

fix-serviceradar-core-integration-failures

harden-agent-updater-exec-arguments

harden-agent-release-trust-boundaries

fix-compose-hermetic-nats-datasvc-bootstrap

fix/openbao-release-issues

elixir/formatting-updates

codex/demo-cnpg-signing-release-fixes

main

chore/lint-fixes

fix/bazel-alpine-bump-and-cosign-skip

fix/mtr-automation-dispatch-cap

update-event-alert-dedup-and-suppression

armis-northbound-events

armis-northbound-availability-updates

renovate/arc_runner

push-owvypksrmooo

codex/topology-endpoint-evidence-investigation

codex/topology-bootstrap-and-layout-simplification

codex/remove-ingress-nginx-edge

fix/forgejo-ci-snmp-cache-and-ubuntu24

bug/cnpg-mtls-failure

bug/log-collector

fix/forgejo-runner-labels

fix/cargo-lock-sync

remove-arc-runner-from-push-all

fix-push-all-cosign-preflight

fix-go-ci

add-versioned-openapi-publish

chore/forgejo-hardening

security/k8s-hardening

update/cluster-page-agents

updates/helm-security-updates

2406-feat-agent-fleet-management-secure-self-update-system

bug/k8s-helm-deployments

chore/k8s-arc-update

rust-fix

2371-analytics-stats-cards-should-abbreviate-numbers

chore/perl-cleanup

2942-featweb-ng-add-logs-tab-to-device-details-page

192-feat-tftp-server

mikemiles-dev/feature/netflow_collection

testing

dependabot/cargo/hostname-0.4.1

dependabot/cargo/redis-1.0.1

dependabot/cargo/bb8-0.9.0

dependabot/cargo/rcgen-0.14.6

dependabot/cargo/hyper-1.8.1

dependabot/cargo/hyper-util-0.1.19

dependabot/cargo/clap-4.5.51

dependabot/cargo/thiserror-2.0.17

dependabot/cargo/time-tz-2.0.0

dependabot/cargo/tonic-build-0.14.2

backup/main-pre-staging-sync-2026-04-02

dependabot/npm_and_yarn/docs/mdast-util-to-hast-13.2.1

815-feat-support-win32-for-agentpoller

gh-pages

v1.2.27

v1.2.26

v1.2.25

v1.2.24

v1.2.23

v1.2.22

v1.2.21

v1.2.20

v1.2.19

v1.2.18

v1.2.17

v1.2.16

v1.2.15

v1.2.14

v1.2.13

v1.2.12

v1.2.11

v1.2.6

v1.2.10

v1.2.9

v1.2.8

v1.2.7

v1.2.5

v1.2.4

v1.2.3

v1.2.2

v1.2.1

v1.2.0

v1.1.2

v1.1.0

v1.0.92

v1.0.91

v1.0.90

v1.0.89

v1.0.88

v1.0.87

v1.0.86

v1.0.85

v1.0.84

v1.0.83

v1.0.82

v1.0.81

v1.0.78

v1.0.77

v1.0.76

v1.0.70

v1.0.69

v1.0.68

v1.0.67

v1.0.66

v1.0.65

v1.0.64

v1.0.63

v1.0.62

v1.0.61

v1.0.60

v1.0.59

v1.0.58

1.0.57

v1.0.56

v1.0.55

v1.0.54-pre5

v1.0.53

v1.0.53-pre19

v1.0.53-pre18

v1.0.53-pre17

v1.0.53-pre15

1.0.53-pre10

1.0.53-pre9

1.0.53-pre8

1.0.53-pre7

1.0.53-pre6

1.0.53-pre5

1.0.53-pre4

1.0.53-pre3

1.0.53-pre2

1.0.53-pre1

1.0.52

1.0.51

1.0.50

1.0.49

1.0.49-pre5

1.0.49-pre4

1.0.49-pre3

1.0.49-pre2

1.0.48

1.0.48-rc2

1.0.48-rc1

1.0.48-pre8

1.0.48-pre7

1.0.48-pre6

1.0.48-pre5

1.0.48-pre4

1.0.48-pre3

1.0.48-pre2

1.0.48-pre1

1.0.47

1.0.47-pre8

1.0.47-pre7

1.0.47-pre6

1.0.47-pre5

1.0.47-pre4

1.0.47-pre3

1.0.47-pre2

1.0.47-pre1

1.0.46

1.0.46-pre9

1.0.46-pre8

1.0.46-pre7

1.0.46-pre6

1.0.46-pre5

1.0.46-pre4

1.0.46-pre3

1.0.46-pre2

1.0.46-pre1

1.0.45

1.0.44

1.0.44-pre12

1.0.44-pre11

1.0.44-pre10

1.0.44-pre9

1.0.44-pre8

1.0.44-pre7

1.0.44-pre6

1.0.44-pre5

1.0.44-pre4

1.0.44-pre3

1.0.44-pre2

1.0.44-pre1

1.0.43

1.0.42

1.0.41

1.0.41-pre1

1.0.40

1.0.40-pre11

1.0.40-pre10

1.0.40-pre9

1.0.40-pre8

1.0.40-pre7

1.0.40-pre6

1.0.40-pre5

1.0.40-pre4

1.0.40-pre3

1.0.40-pre2

1.0.40-pre1

1.0.39

1.0.38

1.0.37

1.0.36

1.0.36-pre5

1.0.36-pre4

1.0.36-pre3

1.0.36-pre2

1.0.35

1.0.35-pre3

1.0.35-pre2

1.0.35-pre

1.0.34-pre3

1.0.34-pre2

1.0.34-pre1

1.0.33

1.0.33-pre2

1.0.33-pre

1.0.32

1.0.31

1.0.30

1.0.29

1.0.28

1.0.27

1.0.26

1.0.25

1.0.24

1.0.23

1.0.22

1.0.21

1.0.20

1.0.19

1.0.18

1.0.17

1.0.16

1.0.15

1.0.14

1.0.13

1.0.11

1.0.10

1.0.9

1.0.8

1.0.7

1.0.6

1.0.5

1.0.4

1.0.3

1.0.2

1.0.1

1.0.0

Labels

Clear labels   

1week

  

2weeks

  

Failed compliance check

  

IP cameras

  

NATS

NATS JetStream

  

Possible security concern

  

Review effort 1/5

  

Review effort 2/5

  

Review effort 3/5

  

Review effort 4/5

  

Review effort 5/5

  

UI

  

aardvark

  

accessibility

  

amd64

  

api

  

arm64

  

auth

  

back-end

  

bgp

  

blog

  

bug

Something isn't working

  

build

  

checkers

  

ci-cd

continuous integration-continuous deployments

  

cleanup

  

cnpg

cloud-native postgres

  

codex

  

core

core service

  

dependencies

Pull requests that update a dependency file

  

device-management

  

documentation

Improvements or additions to documentation

  

duplicate

This issue or pull request already exists

  

dusk

  

ebpf

  

enhancement

New feature or request

  

eta 1d

  

eta 1hr

  

eta 3d

  

eta 3hr

  

feature

  

fieldsurvey

  

github_actions

Pull requests that update GitHub Actions code

  

go

Pull requests that update Go code

  

good first issue

Good for newcomers

  

help wanted

Extra attention is needed

  

invalid

This doesn't seem right

  

javascript

Pull requests that update Javascript code

  

k8s

  

log-collector

  

mapper

  

mtr

multi traceroute

  

needs-triage

  

netflow

  

network-sweep

  

observability

  

oracle

Oracle Linux related issues

  

otel

opentelemetry logs, traces, metrics

  

plug-in

  

proton

timeplus proton streaming database

  

python

  

question

Further information is requested

  

reddit

  

redhat

  

research

  

rperf

  

rperf-checker

  

rust

Pull requests that update rust code

  

sdk

  

security

  

serviceradar-agent

  

serviceradar-agent-gateway

  

serviceradar-web

  

serviceradar-web-ng

  

siem

  

snmp

  

sysmon

  

topology

  

ubiquiti

  

wasm

  

wontfix

This will not be worked on

  

zen-engine

No labels

1week

2weeks

Failed compliance check

IP cameras

NATS

Possible security concern

Review effort 1/5

Review effort 2/5

Review effort 3/5

Review effort 4/5

Review effort 5/5

UI

aardvark

accessibility

amd64

api

arm64

auth

back-end

bgp

blog

bug

build

checkers

ci-cd

cleanup

cnpg

codex

core

dependencies

device-management

documentation

duplicate

dusk

ebpf

enhancement

eta 1d

eta 1hr

eta 3d

eta 3hr

feature

fieldsurvey

github_actions

go

good first issue

help wanted

invalid

javascript

k8s

log-collector

mapper

mtr

needs-triage

netflow

network-sweep

observability

oracle

otel

plug-in

proton

python

question

reddit

redhat

research

rperf

rperf-checker

rust

sdk

security

serviceradar-agent

serviceradar-agent-gateway

serviceradar-web

serviceradar-web-ng

siem

snmp

sysmon

topology

ubiquiti

wasm

wontfix

zen-engine

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

carverauto/serviceradar#3130

No description provided.