North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Trap and Syslog Query

  • From: Jake Khuon
  • Date: Wed Mar 20 04:42:59 2002
  • Action:
  • Dcc:
  • Expires:

### On Wed, 20 Mar 2002 08:34:41 +0000, "Matt Duggan"
### <[email protected]> casually decided to expound upon [email protected]
### the following thoughts about "Trap and Syslog Query":

MD> Q1. What do you think will be the percentage of 'useful' traps from a fault 
MD> management perspective? Of course it all depends upon what you are 
MD> interested in and what the network is doing but some thoughts about the 
MD> volume of useful traps and what those traps are would be really useful :)

Everything is useful. |8^)  You are right however in that it all depends on
what you would consider critical, severe, informative.  For instance, I
would consider chassis alarms, link hard up/downs, BGP peer up/downs and
adjacency failures to be immediately "useful" since they are directly
related to correct operation of the network.  Assuming a nominal state, you
should be seeing zero of such useful traps. |8^)  In practice, I would
expect them to make up no more than 5% of your total traps unless you're
having a REALLY bad day or suffering through a maintenance window.  But
again, it all depends on your network topology, how complex it is, what
you're monitoring and what kind of services it's carrying (which ultimately
defines the former criterias).

Now if you extend your definition of "useful" to things like ACL violations
then you might be seeing a lot of those (probably 80% of your traps).

MD> Q2. Same question as Q1 but for syslog.

In general, I think the answer to Q1 holds true for this question too.  You
might see some things in syslog which you won't see from traps however such
as boot messages and this will skew the percentages but in general I think
you get nearly a one-to-one relationship between the amount and type of
inromation from syslog as from traps.  Based upon your description of syslog
collectors (distributed and thusn presumably closer to target devices) vs
trap collector (central), I would expect you might get a slightly higher
number of syslog messages overall due to UDP lossage of traps but of course,
not knowing you topology and network loads that's just an off-the-cuff

MD> Q3. What do you expect the real figures to be based upon the network 
MD> operating normally and what, from your experience, are they likely to be 
MD> under fault conditions?

I'm not sure I can provide an accurate answer to that.  There are too many
variables and unknowns [to me] about your network.

MD> Q4. What, again from your experience, devices send the most traps and syslog 
MD> messages? - is it that a particular manufacturer are particularly trap-heavy 
MD> for example?

I think it has more to do with the configuration of the snmp agent and/or
syslog facility than any particular vendor or device type.  It also has to
do with what the device is doing.  For instance, a dialup access server
configured to log every user signon/signoff will probably generate more
logging information than a core router configured to just log link alarms
and adjacencies.  In general, I would guess that customer facing devices
would be more trap-heavy than core components.

/*===================[ Jake Khuon <[email protected]> ]======================+
 | Packet Plumber, Network Engineers     /| / [~ [~ |) | | --------------- |
 | for Effective Bandwidth Utilisation  / |/  [_ [_ |) |_| N E T W O R K S |