SNMP Trap vs Syslog

SNMP is the Simple Network Management Protocol. It requires a manager that communicates with agents. Every network device has an agent pre-installed on it, so all a network manager needs to install is the SNMP Manager. Syslog is a log messaging standard used widely in Linux systems. Those messages go nowhere if you don’t have a Syslog server.

Both SNMP and Syslog require a utility to collect their messages. You need a more sophisticated system in order to analyze those messages and make use of them. So, which one is worth investing in? Can you use both?

SNMP

The Simple Network Management Protocol is widely used for network monitoring. Just about every network monitor that you can buy has SNMP procedures feeding into it.

In SNMP, a Manager broadcasts report requests over the network every four or five minutes. Every network device has an agent installed on it that constantly scans that device for statuses and fills out a form. When the agent receives the request, it sends out the current version of its report, called a Management Information Base (MIB), and then carries on scanning.

If a device agent spots a serious problem, it doesn’t have to wait for a request to send out a report. This unrequested MIB is called a Trap. Network monitors interpret Traps into “alerts.” While the MIB gives many different types of data, including reports on traffic throughput on each interface, the purpose of the Trap is to draw attention to a specific problem.

As well as indicating the problem, the SNMP Trap includes a severity ranking. The severity levels in the SNMP standards are:

0EmergencySystem unusable
1AlertImmediate action needed
2CriticalCritical conditions exist
3ErrorEroor conditions exist
4WarningWarning conditions exist
5NoticeNormal but significant conditions exist
6InformationInformational messages
7DebugDebug messages

The lower the number in the Trap message, the bigger the problem.

See also: Common SNMP Vulnerabilities

Syslog

Syslog is an open standard – nobody owns it and the format is published free of charge. The Syslog messaging format is particularly popular on Linux operating systems and for the software that runs on them.

The format of a Syslog message includes:

TimestampThe date and time the message was created
Host IP addressIdentifies the device the created the message
Event messageAn indicator of the event
SeverityA ranking of the seriousness of the event
DiagnosticsSystem conditions related to the event

As Syslog is a standard and not a software package, not every message-generating source will fill out all fields.

The purpose of log messages is to file them and use them for historical analysis. There are systems that search through log messages live. However, they are not examined as quickly as SNMP Trap messages. A closer associate to Syslog is the Windows Events standard.

Log messages are now very important for security systems, such as SIEM (Security Information and Event Management). Log messages need to be collected and then stored in files. Log analysis tools can then access log files and search through them for indications of intrusion. Storing log messages is also a requirement of many data protection standards, such as HIPAA and PCI-DSS.

See also: Syslog Server Tools

When to use SNMP Traps

It is very rare to find a system that relies on SNMP Traps alone. The Trap is just one of the message types that SNMP specifies and you will most likely get information from them through a general network performance monitor. Most network performance monitors are charged for and they fulfill the role of SNMP manager.

All network equipment includes device agents but the regular reports that they compile don’t get sent out unless requested. The Trap messages can only be sent out to a Manager that has already sent out its address. So, if there is no SNMP Manager operating on the network, there can be no use for the SNMP Trap messages.

An extra benefit of operating an SNMP Manager is that the responses it receives every four or five minutes tell the monitor exactly what devices are out on the network and how they connect to each other. This gives the monitor an automatic device discovery service and provides all of the information about each device that enables a network inventory to be compiled.

SNMP messages can also be funneled through to log analysis systems that search for security events. In these cases, the Trap messages, together with all other SNMP MIB reports will be converted into a neutral format so that they can be filed together with Syslog and Windows Event messages.

When to use Syslog

Like SNMP, Syslog messages are already there in your system, you just have to install a program to collect them. Syslog messages provide important information about activity on the system. By uniting the Syslog messages that arise in many software packages and Linux, a network manager can get a good view of all of the problems that have arisen. Consolidating Syslog messages into a central store that also files Windows Event messages gets an even better view of system activity.

You would use Syslog to retrospectively analyze system activity. This is particularly useful for security investigations.

The bottom line

Both SNMP Traps and Syslog messages provide important system information. Both services are very useful for system monitoring and service analysis. SNMP is generally used more for network monitoring, while Syslog is more commonly used for software and operating system status notifications.

SNMP and Syslog services already exist on your system, you just need to install a message collector and interpreter. SNMP Traps and Syslog are both open standards that anyone can access. Software houses access those standards and integrate their functions into their products.

It is advisable to use both SNMP Traps and Syslog. Get a network performance monitor to exploit the services of SNMP Traps and buy a SIEM system to get the most out of Syslog.