RE: SNMP Syslog

From: gladston@br.ibm.com
Date: Fri May 27 2005 - 11:46:05 GMT-3

• Next message: Stephen Fisher: "Re: Mobile IP and IRDP"
• Previous message: ccie2be: "Mobile IP and IRDP"
• Maybe in reply to: ccie2be: "RE: SNMP Syslog"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Tim, Simon,

Thanks,
There is a good information about sending syslog as SNMP messages on
'Cisco CookBook'.

It seems there is a limitation on the number of traps produced by the
router:
"However, since routers can produce many more syslog messages than SNMP
traps..."

It would explain why I saw more Syslog messages than messages sent by
SNMP.

What do you think?

====================
quoted

"Cisco routers normally forward syslog messages via the syslog facility
using UDP port 514. However, in networks that support SNMP traffic only,
Cisco routers can encapsulate their syslog messages into SNMP traps before
sending them.
This feature is most useful if your network management software doesn't
support the syslog protocol. However, since routers can produce many more
syslog messages than SNMP traps, we recommend using syslog where possible.
Further, the fact that all of the syslog messages sent as SNMP traps use
the same OID number can make parsing for particular log messages quite
difficult.
Here is an example log message as it appears in the router's log:
Router#clear counters
Clear "show interface" counters on all interfaces [confirm]
Router#
May 28 10:07:04: %CLEAR-5-COUNTERS: Clear counter on all interfaces by
ijbrown on
vty0 (172.25.1.1)

The router sends this message as a trap to the network management server,
which records it in its trap log:
Freebsd% tail snmptrapd.log
May 28 10:07:04 freebsd snmptrapd[77759]: 172.25.25.1: Enterprise Specific
Trap (1)
Uptime: 18 days, 22:35:26.99, enterprises.9.9.41.1.2.3.1.2.118 = "CLEAR",
enterprises.9.9.41.1.2.3.1.3.118 = 6, enterprises.9.9.41.1.2.3.1.4.118 =
"COUNTERS",
enterprises.9.9.41.1.2.3.1.5.118 = "Clear counter on all interfaces by
ijbrown on
vty0 (172.25.1.1)", enterprises.9.9.41.1.2.3.1.6.118 = Timeticks:
(163652698) 18
days, 22:35:26.98
Freebsd%
=======================

Simon, I tested if there was any changes on the results of the test using
'logging traps 7'
It really did not change the result, as pointed by Tim.

To change the level of trap messages send by the router to the SNMP
server, this is the command:
        logging history informational
This is consistent with the information on DoyleVII and Deal's book.

But I could not confirm this information following the messages received
on the SNMP server.

Cordially,
------------------------------------------------------------------
 Gladston

"ccie2be" <ccie2be@nyc.rr.com>
26/05/2005 21:46

To
"'simon hart'" <simon.hart@btinternet.com>, Alaerte Gladston
Vidali/Brazil/IBM@IBMBR, <ccielab@groupstudy.com>
cc

Subject
RE: SNMP Syslog

From my study notes:

-Gotcha: Unlike when sending log messages to other destinations such as
the
internal buffer, or syslog server, to send log messages to an snmp-server,
you don't use a command that begins with logging, you use the command
snmp-server enable trap syslog along with whatever other commands are
needed
to for snmp.

-Gotcha: Although you might think that the logging trap <severity level>
is
related to snmp traps, actually, this command is used to specify which
severity levels messages are sent to the syslog server and has nothing to
do
with snmp.

HTH, Tim

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
simon hart
Sent: Wednesday, March 16, 2005 3:23 PM
To: gladston@br.ibm.com; ccielab@groupstudy.com
Subject: RE: SNMP Syslog

Not entirely sure, but I think you should have

logging traps debugging

or

logging traps 7

Simon

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
gladston@br.ibm.com
Sent: 16 March 2005 18:42
To: ccielab@groupstudy.com
Subject: SNMP Syslog

Reading Doyle vol II and Deal's Cisco Router Firewall Security I thought
it
would be possible to send any syslog messages to the SNMP station
management, but it seems to work differently.

Only some messages are sent via SNMP, even though "logging history
debugging" is configured.

Any feedback appreciated.

r1#sh logg
Syslog logging: enabled (0 messages dropped, 1 messages rate-limited, 0
flushes, 0 overruns)
Console logging: level emergencies, 1439 messages logged
Monitor logging: level debugging, 0 messages logged
Buffer logging: level debugging, 4713 messages logged
Logging Exception size (4096 bytes)
Trap logging: level debugging, 1851 message lines logged

r1#sh snmp
Chassis: 26411040
0 SNMP packets input
0 Bad SNMP version errors
0 Unknown community name
0 Illegal operation for community name supplied
0 Encoding errors
0 Number of requested variables
0 Number of altered variables
0 Get-request PDUs
0 Get-next PDUs
0 Set-request PDUs
107 SNMP packets output
0 Too big errors (Maximum packet size 1500)
0 No such name errors
0 Bad values errors
0 General errors
0 Response PDUs
107 Trap PDUs

SNMP logging: enabled
Logging to 172.16.100.100.162, 0/10, 12 sent, 0 dropped.
r1#
r1#sh snmp
Chassis: 26411040
0 SNMP packets input
0 Bad SNMP version errors
0 Unknown community name
0 Illegal operation for community name supplied
0 Encoding errors
0 Number of requested variables
0 Number of altered variables
0 Get-request PDUs
0 Get-next PDUs
0 Set-request PDUs
107 SNMP packets output
0 Too big errors (Maximum packet size 1500)
0 No such name errors
0 Bad values errors
0 General errors
0 Response PDUs
107 Trap PDUs

SNMP logging: enabled
Logging to 172.16.100.100.162, 0/10, 12 sent, 0 dropped.
r1#

• Next message: Stephen Fisher: "Re: Mobile IP and IRDP"
• Previous message: ccie2be: "Mobile IP and IRDP"
• Maybe in reply to: ccie2be: "RE: SNMP Syslog"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Fri Jun 03 2005 - 10:12:03 GMT-3