Solved: Re: Syslog & SNMP traps

a.hajhamad · ‎01-13-2007

Hi,

what is the difference between syslog and SNMP traps?

Thanks in advance

Abd Alqader

Joe Clarke · ‎01-14-2007

You can only send both types of messages to the same server if that server is both a syslog server and an SNMP trap server. LMS happens to be one such server. RME will process syslog messages, and DFM will process some SNMP traps.

There are numerous events that only generate syslog messages, and a few that only generate SNMP traps. As I said, since it is much easier to create a new syslog message, there are MANY more syslog messages that SNMP traps.

With a suite such as LMS, sending both can add additional benefit. RME allows you to take various actions based on the reception of syslog messages, whereas DFM will use certain traps to build device fault information. DFM presents that information in a concise fault dashboard where as the syslog messages are stored more for reporting.

So, if you send both to LMS, you will have a good real-time fault dashboard your operators can watch, be notified about certain important events via email, pager, etc., and have an audit trail of events on which to report.

View solution in original post

apaxson · ‎01-14-2007

They are normally used for two different functions:

SYSLOG: This is a logging facility. If you are familiar with Windows, you have no doubt, used this type of logging, like the Event Viewer. (For Unix/Linux, this would be your /var/log/messages). It gives you various details of the happenings of the equipment, from logs dealing only with ERRORs, to HUGE log files of DEBUG logs, telling you everything that the equipment is doing.

SNMP TRAP: These are asynchronous events, sent to a central management system. They are essentially triggers, that tell the management system, that something happened, such as a configuration change, or a link failure. Your management system can then take action, such as notifying a tech.

Does this help?

rgdumagpi · ‎01-16-2007

how about a host flapping alert, how do we categorize it? and what is its possible cause?

thanks a lot.

Joe Clarke · ‎01-14-2007

Syslog messages are typically ASCII text messages that are generated by system processes when events occur. Internally, they are classified by a facility and a severity. A facility is a category or type of message. Within UNIX, the facility is encoded as a 5-bit integer. Within IOS, there are two types of facilities. The first is the internal message facility such as SYS, OSPF, DUAL, MGMT, etc. The second is the UNIX facility such as mail, auth, local7, etc.

The severity is a 3-bit number from 0 to 7. The lower the severity number, the more severe the event. For example, a message with a severity of 0 indicates that a device or subsystem is inoperable. Where as a severity of 7 is typically used to represent some kind of debugging information.

Syslog messages can be sent via the network to centralized syslog servers. When this happens, the body of the message is encapsulated directly on the wire, but the UNIX facility and severity are summed into an 8-bit integer which makes up the header of the message, and tells the receiving server what kind of actions to take (e.g. write the message to a certain file, send an email, etc.). Syslog typically uses UDP port 514 for network transmission, but IOS allows syslog to be sent of TCP as well as using the BEEP protocol. Cisco devices send syslog messages with a UNIX facility of local7 by default. Syslog messages are not acknowledged by the server.

SNMP traps, on the other hand are well-defined notifications encoded using ASN.1 rules. Like syslog messages, they are used by systems to indicate that certain events have occurred. Trap packets are made up of an enterprise OID, agent (i.e. sender) address, generic identifier, specific identifier, time stamp, and any number of variable bindings. These variable bindings make up the interesting bits of the trap that provide details about the event that occurred. Each trap and its varbinds are defined in a MIB.

SNMP traps are sent from an agent to a manager (server) using UDP port 162. Like syslog messages, SNMP traps are not acknowledged by the manager.

Many traps have equivalent syslog messages (e.g. link state change, OSPF adjacency changes, config changes, etc.), but because both notification systems use UDP, many users choose to capture both for reliability purposes. Additionally, because of the need to define all traps in MIB modules, it takes much longer to get a new trap supported by a device. So many times, a new event will trigger a syslog message before it generates a trap.

a.hajhamad · ‎01-14-2007

Many Thanks.

As i understood from your post, we can't send an SNMP traps to a syslog server or vise versa, right?

In general, if both configured, any event that occures to a device can trigger the IOS to send to both syslog server and a management server like LMS, right? Also, all the events can trigger both, i mean is there any event can trigger for example the SNMP trap and not the syslog or vise versa?

You told me that the SNMP traps are well-defined notifications, but the syslog are generated from the process which means it is better to have syslog since maybe some MIB is not defined so it will not generate an SNMP trap, right?

But for better design having both configured according to the acknowledged issue.