Sending Syslog Messages As SNMP Traps and Informs

Sending Syslog Messages As SNMP Traps and Informs

Problem

You want to send syslog messages as SNMP traps or informs.

Solution

You can configure the router to forward syslog messages to your network management server as SNMP traps instead of syslog packets with the following configuration commands:

Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#logging history informational
Router(config)#snmp-server enable traps syslog
Router(config)#snmp-server host 172.25.1.1 ORATRAP syslog
Router(config)#end
Router#

To forward syslog messages as SNMP informs, use the following configuration commands:

Router#configure terminal 
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#logging history informational
Router(config)#snmp-server enable informs
Router(config)#snmp-server host 172.25.1.1 informs version 2c ORATRAP syslog
Router(config)#end
Router#

Discussion

Cisco routers normally forward syslog messages via the syslog facility by using UDP port 514. However, in networks that support SNMP traffic only, Cisco routers can encapsulate their syslog messages into SNMP traps before sending them.

This feature is most useful if your network management software doesn't support the syslog protocol. However, since routers can produce many more syslog messages than SNMP traps, we recommend using syslog when possible. Further, the fact that all of the syslog messages sent as SNMP traps use the same OID number can make parsing for particular log messages quite difficult.

Here is an example log message as it appears in the router's log:

Router#clear counters
Clear "show interface" counters on all interfaces [confirm]
Router#
May 28 10:07:04: %CLEAR-5-COUNTERS: Clear counter on all interfaces by ijbrown on vty0 (172.25.1.1)

The router sends this message as a trap to the network management server, which records it in its trap log:

Freebsd% tail snmptrapd.log
May 28 10:07:04 freebsd snmptrapd[77759]: 172.25.25.1: Enterprise Specific Trap (1) Uptime: 18 days, 22:35:26.99, enterprises.9.9.41.1.2.3.1.2.118 = "CLEAR", enterprises.9.9.41.1.2.3.1.3.118 = 6, enterprises.9.9.41.1.2.3.1.4.118 = "COUNTERS", enterprises.9.9.41.1.2.3.1.5.118 = "Clear counter on all interfaces by ijbrown on vty0 (172.25.1.1)", enterprises.9.9.41.1.2.3.1.6.118 = Timeticks: (163652698) 18 days, 22:35:26.98
Freebsd%

In this example, we forced the router to create a log message by clearing the interface counters. The router displayed the raw syslog message to the vty session. The same information appears in the server's snmptrapd.log file. This is a flat file that contains all SNMP traps forwarded to the server. This assumes that the network management system uses the NET-SNMP package. Other network management systems store trap information in different formats and different filenames.

You can also configure the router to forward syslog messages as SNMP informs. The result is the same as for traps. For more information on syslog and logging in general, please refer to Chapter 18.

See Also