Syslog or SNMP traps?

Discussion in 'Cisco' started by Illusion, Oct 31, 2003.

  1. Illusion

    Illusion Guest

    Hi,

    I am looking at best methods of monitoring our Cisco switches and routers. I
    have been working on a centralised linux syslog server which collects syslog
    messages from the Cisco's writes them to a MySQL database, has a web
    frontend for viewing logs and also sends email alerts when it detects key
    words in the log files.

    I'd not considered doing anything with SNMP traps up until now though. Could
    someone tell me the differences between the two? Is one more 'verbose' than
    the other (if I can use such a term)? Really what I'm wondering is if I am
    going to miss any events that could happend with the devices if I just stick
    to monitoring syslog.

    Any info greatly appreciated.

    Thanks,

    Dan
     
    Illusion, Oct 31, 2003
    #1
    1. Advertising

  2. In article <>,
    Illusion <> wrote:
    :I am looking at best methods of monitoring our Cisco switches and routers. I
    :have been working on a centralised linux syslog server which collects syslog
    :messages from the Cisco's writes them to a MySQL database, has a web
    :frontend for viewing logs and also sends email alerts when it detects key
    :words in the log files.

    Sounds like Network Intelligence's PrivateI product.

    PrivateI is not exactly a "bargin basement" price [sorry if that doesn't
    translate culturally]; one of their main selling points is that they
    claim to be able to handle large numbers of events per second. How
    active are your devices?


    :I'd not considered doing anything with SNMP traps up until now though. Could
    :someone tell me the differences between the two? Is one more 'verbose' than
    :the other (if I can use such a term)? Really what I'm wondering is if I am
    :going to miss any events that could happend with the devices if I just stick
    :to monitoring syslog.

    On some devices, SNMP traps can be created that will explicitly
    note events such as "interface usage exceeded 80%", that you might
    otherwise have to deduce by polling all the interface stats, keeping
    track of them, doing bytes per second analysis, and so on. The trap
    so created might have information that you could not normally
    deduce from passive syslog analysis -- e.g., sometimes syslog messages
    do not include information about interface number whereas the
    corresponding trap would.

    Traps can also have an "acknowlegement" facility. If I understand
    correctly, if the monitoring device acknowledges the trap, the
    sending device will flush the trap information, with it otherwise
    holding on to the information until asked for a message dump or
    the queue fills up.


    The problem with monitoring lots of devices (especially with active
    notification via traps) is that you have to figure out what to
    *do* with the information. For example, every time one of our
    computers with a 10 Mb connection gets backed up over net, I get
    a slew of notifications about 80%+ link utilization. So, the
    backup is making efficient use of the limited network. What
    am I supposed to -do- about it? It'd be less expensive to replace
    the computers in question than to find a 100 Mb/s NIC for them,
    but since they are functioning as designed, it'd be silly to
    replace them just in order to not get alarms to the monitoring
    program...
    --
    csh is bad drugs.
     
    Walter Roberson, Oct 31, 2003
    #2
    1. Advertising

  3. Illusion

    Illusion Guest

    Thanks for the info Walter.

    Cheers, Dan
     
    Illusion, Nov 3, 2003
    #3
  4. "Illusion" <> wrote in message news:<>...
    > Thanks for the info Walter.
    >
    > Cheers, Dan


    A good answer from Walter, but just to add a bit more to it, we use
    both syslog and SNMP traps. Much of the information is duplicated, but
    there are events where a device will only generate a trap and others
    where it only generates a syslog entry (sorry - can't think of any
    specific examples at the moment). Also, we find that the information
    contained in the syslog and SNMP trap can be slightly different for
    the same event, one or the other being of more use in certain
    situations.

    Pete
     
    Pete Mainwaring, Nov 4, 2003
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Ross

    sending snmp traps

    Ross, Mar 1, 2004, in forum: Cisco
    Replies:
    0
    Views:
    782
  2. JT King

    Syslog traps

    JT King, May 6, 2004, in forum: Cisco
    Replies:
    2
    Views:
    6,136
    JT King
    May 6, 2004
  3. Marco Roda

    SNMP traps / SYSLOG documentation

    Marco Roda, Oct 11, 2004, in forum: Cisco
    Replies:
    1
    Views:
    806
    Michael Janke
    Oct 12, 2004
  4. Replies:
    1
    Views:
    936
    Scott Fringer
    May 13, 2005
  5. Replies:
    1
    Views:
    829
    Walter Roberson
    Nov 22, 2006
Loading...

Share This Page