Difference between trap and syslog message?

  • 0
  • 1
  • Question
  • Updated 4 weeks ago
  • Answered
do anyone explain to me what is the difference between trap and syslog message?

Photo of Visconti

Visconti

  • 764 Points 500 badge 2x thumb

Posted 4 weeks ago

  • 0
  • 1
Photo of Ronald Dvorak

Ronald Dvorak, Embassador

  • 49,962 Points 20k badge 2x thumb
Photo of Erik Auerswald

Erik Auerswald, Embassador

  • 13,636 Points 10k badge 2x thumb
Hi,

a trap is an SNMP message, sent via SNMP protocol using UDP destination port 162 (by default). A Syslog message is message sent via Syslog protocoll using UDP desitnation port 514 (by default).

SNMP was developed for network management, Syslog was developed for Unix-like systems.

While Syslog uses text messages that are supposed to be easily read by humans, SNMP traps use structured binary data that needs to be translated to human readable form based on a formal definition (MIB).

That said, both are used for the purpose of sending information regarding some kind of event to a central server.

Thanks,
Erik
Photo of Visconti

Visconti

  • 764 Points 500 badge 2x thumb
Ok so I can receive via trap or syslog message the IP address of the computer (NO switch)  that has generate the alarm?
Photo of Ronald Dvorak

Ronald Dvorak, Embassador

  • 49,962 Points 20k badge 2x thumb
You'd receive the trap and/or the syslog message from the device that is able to generate SNMP traps and/or syslog messages.

The message inlcudes the IP from the sender.
Photo of Visconti

Visconti

  • 764 Points 500 badge 2x thumb
In the "information" field of Alarms windows I see only the port number of the switch but not the IP of the pc
Photo of Erik Auerswald

Erik Auerswald, Embassador

  • 13,636 Points 10k badge 2x thumb
Hello Visconti,

because the SNMP trap format is specified in the message information base (MIB), it cannot easily be extended with new information. While Syslog messages could theoretically be amended with additional information, switches generally do not provide that feature. On EXOS, one might be able to use a script to collect the relevant information and send it as a Syslog message, but I cannot tell you how exactly or even how hard that would be (I would have to find out how myself before).

Thus you need to manually (or possibly with scripting on the NMS) use the info from the trap to find out e.g. the port description from the switch.

Thanks,
Erik
Photo of Visconti

Visconti

  • 764 Points 500 badge 2x thumb
what meens  NMS ?
Photo of Erik Auerswald

Erik Auerswald, Embassador

  • 13,636 Points 10k badge 2x thumb
NMS is the network management system, e.g. Extreme Management Center (XMC) — I hope I've got the name right, it has changed quite a lot. ;-)
Photo of Visconti

Visconti

  • 764 Points 500 badge 2x thumb
I'm trying desperately a way to create a  "Flex view" using Extreme managment console but  I can not understand what it is the field to add in the flex view that can show me the ip address of the pc besides the message information of the alarm.

Photo of Erik Auerswald

Erik Auerswald, Embassador

  • 13,636 Points 10k badge 2x thumb
Well, it is not even certain that the switch the PC is connected to knows the IP address of the PC. If it does, you would need to query the respective tables where it is stored. That might be the ctAliasTable of Extreme switches, or something else. But after a link-down event relevant information is lost from the switch, e.g. the MAC address(es) seen on the port while it was up. Thus the switch might never have had the information (IP address), and it might have already forgotten the information (MAC address) you can use to find the IP on the router.

Anyway, you still to somehow react to receiving the trap and then start looking for additional information.

A good way to get all the information about an end-system that was connected to a switch port that went down would be via ExtremeControl, which can be deployed in a visibility only mode (using optional MAC based authentication).

Sorry that I cannot give you a simple solution with just Extreme Managament Console (XMC).

Thanks,
Erik