Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > Syslog or SNMP traps?

Reply
Thread Tools

Syslog or SNMP traps?

 
 
Illusion
Guest
Posts: n/a
 
      10-31-2003
Hi,

I am looking at best methods of monitoring our Cisco switches and routers. I
have been working on a centralised linux syslog server which collects syslog
messages from the Cisco's writes them to a MySQL database, has a web
frontend for viewing logs and also sends email alerts when it detects key
words in the log files.

I'd not considered doing anything with SNMP traps up until now though. Could
someone tell me the differences between the two? Is one more 'verbose' than
the other (if I can use such a term)? Really what I'm wondering is if I am
going to miss any events that could happend with the devices if I just stick
to monitoring syslog.

Any info greatly appreciated.

Thanks,

Dan


 
Reply With Quote
 
 
 
 
Walter Roberson
Guest
Posts: n/a
 
      10-31-2003
In article <(E-Mail Removed)>,
Illusion <(E-Mail Removed)> wrote:
:I am looking at best methods of monitoring our Cisco switches and routers. I
:have been working on a centralised linux syslog server which collects syslog
:messages from the Cisco's writes them to a MySQL database, has a web
:frontend for viewing logs and also sends email alerts when it detects key
:words in the log files.

Sounds like Network Intelligence's PrivateI product.

PrivateI is not exactly a "bargin basement" price [sorry if that doesn't
translate culturally]; one of their main selling points is that they
claim to be able to handle large numbers of events per second. How
active are your devices?


:I'd not considered doing anything with SNMP traps up until now though. Could
:someone tell me the differences between the two? Is one more 'verbose' than
:the other (if I can use such a term)? Really what I'm wondering is if I am
:going to miss any events that could happend with the devices if I just stick
:to monitoring syslog.

On some devices, SNMP traps can be created that will explicitly
note events such as "interface usage exceeded 80%", that you might
otherwise have to deduce by polling all the interface stats, keeping
track of them, doing bytes per second analysis, and so on. The trap
so created might have information that you could not normally
deduce from passive syslog analysis -- e.g., sometimes syslog messages
do not include information about interface number whereas the
corresponding trap would.

Traps can also have an "acknowlegement" facility. If I understand
correctly, if the monitoring device acknowledges the trap, the
sending device will flush the trap information, with it otherwise
holding on to the information until asked for a message dump or
the queue fills up.


The problem with monitoring lots of devices (especially with active
notification via traps) is that you have to figure out what to
*do* with the information. For example, every time one of our
computers with a 10 Mb connection gets backed up over net, I get
a slew of notifications about 80%+ link utilization. So, the
backup is making efficient use of the limited network. What
am I supposed to -do- about it? It'd be less expensive to replace
the computers in question than to find a 100 Mb/s NIC for them,
but since they are functioning as designed, it'd be silly to
replace them just in order to not get alarms to the monitoring
program...
--
csh is bad drugs.
 
Reply With Quote
 
 
 
 
Illusion
Guest
Posts: n/a
 
      11-03-2003
Thanks for the info Walter.

Cheers, Dan


 
Reply With Quote
 
Pete Mainwaring
Guest
Posts: n/a
 
      11-04-2003
"Illusion" <(E-Mail Removed)> wrote in message news:<(E-Mail Removed)>...
> Thanks for the info Walter.
>
> Cheers, Dan


A good answer from Walter, but just to add a bit more to it, we use
both syslog and SNMP traps. Much of the information is duplicated, but
there are events where a device will only generate a trap and others
where it only generates a syslog entry (sorry - can't think of any
specific examples at the moment). Also, we find that the information
contained in the syslog and SNMP trap can be slightly different for
the same event, one or the other being of more use in certain
situations.

Pete
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
perl 5.8.8 make test hangs on ext/Sys/Syslog/t/syslog................... indefinitely Bad Dog Perl Misc 0 08-09-2007 04:47 PM
is there any API available to implement Syslog server using Java (to capture all syslog messages - UDP protocol, port 514)? santa19992000@yahoo.com Java 2 06-20-2006 12:54 PM
Syslog replay script for centralized syslog host leroy isaac Perl Misc 1 10-29-2004 04:23 AM
SNMP traps / SYSLOG documentation Marco Roda Cisco 1 10-12-2004 12:43 PM
SNMP trapping/syslog on border routers CPJ Cisco 1 07-16-2003 09:32 PM



Advertisments