Re: SNMP vs SYSLOG

p.mckay · ‎11-09-2001

Just wondering, I set up the the PIX to have logging trap errors. I also configured the snmp-server enable traps. I send both syslog and snmp to the same Event monitor. It appears that I am recieving the smae messsages in both syslog and snmp. If I stop the syslog and rely only on snmp will I be missing any messages that syslog would have sent or is there any difference. Does anyone have a suggestion or best practicse they follow?

wdrootz · ‎11-15-2001

Both is probably unnecessary duplication to run both unless you are analyzing your logs with something like Private I from opensystems.com. But then you’ll need to run debugging log files.

jsferrei · ‎11-16-2001

There is no difference between syslog and snmp beside the way the message are sent to the logging device. The only thing that should direct your choice is the end device that is logging you message. If your logging/analysing/alerting product support syslog, you should use syslog instead of snmp since it take less ressources to operate.

brford · ‎11-22-2001

p.mckay,

Yes. Those would be the same messages.

I'd suggest that Syslog is what the Firewall Administrator needs to look at (regularly) and that SNMP is what the Network Administrator needs to look at (regularly). If the two people are one and the same then you can run just one.

Note that in the PIX there is a big difference between Syslog and SNMP. Syslog on the PIX can be configured to run over TCP (rather than UDP). SNMP runs over UDP. Syslog over TCP is more resource intensive on the PIX and the LAN. But the messages get to the Syslog server (where they may be otherwise discarded on a traffic heavy LAN).

Liberty for All,

Brian

Brian Ford | brford@cisco.com | brford@yahoo.com | 51 75 61 6c 69 74 79 20 6d 65 61 6e 73 20 64 6f 69 6e 67 20 69 74 20 72 69 67 68 74 20 77 68 65 6e 20 6e 6f 20 6f 6e 65 20 69 73 20 6c 6f 6f 6b 69 6e 67 2e | Email me when you figure this out.