Re: Send SNMP traps as Syslog messages

i.va · ‎05-08-2019

We have a Cisco network (3850 stacks with Converged Access running v16.3.7) and a Syslog Server (Splunk). I would like to send SNMP traps as Syslog messages to our Syslog Server. Reason being, that our rogue AP detection feature only seems to send SNMP traps, and no syslog messages.

I have found several guides on how to send Syslog messages as SNMP traps, but not the other way around.

Is this even possible? If yes, how do I configure it?

To my understanding the following commands enable logging of Syslog messages to SNMP traps:

snmp-server enable traps syslog

logging snmp-trap 0 7

Mark Malone · ‎05-08-2019

Hi
i haven't tested this or tried it before but this looks similar to what your asking maybe ?

https://www.oreilly.com/library/view/cisco-ios-cookbook/0596527225/ch17s15.html

Problem

You want to send syslog messages as SNMP traps or informs.
Solution

You can configure the router to forward syslog messages to your network management server as SNMP traps instead of syslog packets with the following configuration commands:

Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#logging history informational
Router(config)#snmp-server enable traps syslog
Router(config)#snmp-server host 172.25.1.1 ORATRAP syslog
Router(config)#end
Router#

To forward syslog messages as SNMP informs, use the following configuration commands:

Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#logging history informational
Router(config)#snmp-server enable informs
Router(config)#snmp-server host 172.25.1.1 informs version 2c ORATRAP syslog
Router(config)#end
Router#

i.va · ‎05-08-2019

Hi Mark

Thanky for your reply. This also seems to also be the other way around: to send Syslogs as SNMP traps or informs to SNMP server. I need to send SNMP traps as Syslog messages to a Syslog server. I also found the command "logging snmp-trap", which only seems to specify the syslog severity levels sent to SNMP (https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3850/software/release/37e/consolidated_guide/b_37e_consolidated_3850_cg/b_37e_consolidated_3850_cg_chapter_01011110.pdf). Also tried different combinations of this configuration, but none resulted in SNMP traps showing up on my Syslog server. It would be better for the rogue detection to send messages to Syslog directly, but could not find any config for this.

Mark Malone · ‎05-08-2019

This command you have looks right too , should work , but if its going outside the network should encrypt it

snmp-server enable traps syslog --- Enablesthe sending of system logging messages via SNMP

iportuga · ‎05-17-2019

I guess to achieve your goal you could create an EEM to trigger the snmp trap raising and send a custom syslog for it.
Otherwise you can overload the receiver sending syslog on two ways (SYSLOG and SNMP protocols).

i.va · ‎05-20-2019

Hi

Thanks for your input guys. I forgot about EEM...will check it out!

Kind Regards

Ingo

iandrew63 · ‎02-24-2023

This worked for me..... I did change the line Router(config)#snmp-server host 172.25.1.1 ORATRAP syslog to

Router(config)#snmp-server host 172.25.1.1 version 3 priv ORATRAP syslog using wireshark the traps were not encrypted.

The change I did sent them encrypted which is what I required.....did loads of googling and this was the only one that worked for me.