SNMP is the Simple Network Management Protocol. It requires a manager that communicates with agents. Every network device has an agent pre-installed on it, so all a network manager needs to install is the SNMP Manager. Syslog is a log messaging standard used widely in Linux systems. Those messages go nowhere if you don’t have a Syslog server.
Both SNMP and Syslog require a utility to collect their messages. You need a more sophisticated system in order to analyze those messages and make use of them. So, which one is worth investing in? Can you use both?
SNMP
The Simple Network Management Protocol is widely used for network monitoring. Just about every network monitor that you can buy has SNMP procedures feeding into it.
In SNMP, a Manager broadcasts report requests over the network every four or five minutes. Every network device has an agent installed on it that constantly scans that device for statuses and fills out a form. When the agent receives the request, it sends out the current version of its report, called a Management Information Base (MIB), and then carries on scanning.
If a device agent spots a serious problem, it doesn’t have to wait for a request to send out a report. This unrequested MIB is called a Trap. Network monitors interpret Traps into “alerts.” While the MIB gives many different types of data, including reports on traffic throughput on each interface, the purpose of the Trap is to draw attention to a specific problem.
As well as indicating the problem, the SNMP Trap includes a severity ranking. The severity levels in the SNMP standards are:
| 0 | Emergency | System unusable |
| 1 | Alert | Immediate action needed |
| 2 | Critical | Critical conditions exist |
| 3 | Error | Eroor conditions exist |
| 4 | Warning | Warning conditions exist |
| 5 | Notice | Normal but significant conditions exist |
| 6 | Information | Informational messages |
| 7 | Debug | Debug messages |
The lower the number in the Trap message, the bigger the problem.
See also: Common SNMP Vulnerabilities
Syslog
Syslog is an open standard – nobody owns it and the format is published free of charge. The Syslog messaging format is particularly popular on Linux operating systems and for the software that runs on them.
The format of a Syslog message includes:
| Timestamp | The date and time the message was created |
| Host IP address | Identifies the device the created the message |
| Event message | An indicator of the event |
| Severity | A ranking of the seriousness of the event |
| Diagnostics | System conditions related to the event |
As Syslog is a standard and not a software package, not every message-generating source will fill out all fields.
The purpose of log messages is to file them and use them for historical analysis. There are systems that search through log messages live. However, they are not examined as quickly as SNMP Trap messages. A closer associate to Syslog is the Windows Events standard.
Log messages are now very important for security systems, such as SIEM (Security Information and Event Management). Log messages need to be collected and then stored in files. Log analysis tools can then access log files and search through them for indications of intrusion. Storing log messages is also a requirement of many data protection standards, such as HIPAA and PCI-DSS.
See also: Syslog Server Tools
When to use SNMP Traps
It is very rare to find a system that relies on SNMP Traps alone. The Trap is just one of the message types that SNMP specifies and you will most likely get information from them through a general network performance monitor. Most network performance monitors are charged for and they fulfill the role of SNMP manager.
All network equipment includes device agents but the regular reports that they compile don’t get sent out unless requested. The Trap messages can only be sent out to a Manager that has already sent out its address. So, if there is no SNMP Manager operating on the network, there can be no use for the SNMP Trap messages.
An extra benefit of operating an SNMP Manager is that the responses it receives every four or five minutes tell the monitor exactly what devices are out on the network and how they connect to each other. This gives the monitor an automatic device discovery service and provides all of the information about each device that enables a network inventory to be compiled.
SNMP messages can also be funneled through to log analysis systems that search for security events. In these cases, the Trap messages, together with all other SNMP MIB reports will be converted into a neutral format so that they can be filed together with Syslog and Windows Event messages.
When to use Syslog
Like SNMP, Syslog messages are already there in your system, you just have to install a program to collect them. Syslog messages provide important information about activity on the system. By uniting the Syslog messages that arise in many software packages and Linux, a network manager can get a good view of all of the problems that have arisen. Consolidating Syslog messages into a central store that also files Windows Event messages gets an even better view of system activity.
You would use Syslog to retrospectively analyze system activity. This is particularly useful for security investigations.
The bottom line
Both SNMP Traps and Syslog messages provide important system information. Both services are very useful for system monitoring and service analysis. SNMP is generally used more for network monitoring, while Syslog is more commonly used for software and operating system status notifications.
SNMP and Syslog services already exist on your system, you just need to install a message collector and interpreter. SNMP Traps and Syslog are both open standards that anyone can access. Software houses access those standards and integrate their functions into their products.
It is advisable to use both SNMP Traps and Syslog. Get a network performance monitor to exploit the services of SNMP Traps and buy a SIEM system to get the most out of Syslog.
SNMP Trap and Syslog FAQs
What is the difference between SNMP trap and syslog?
SNMP is the Simple Network Management Protocol. It is a system that enables a central SNMP Manager to gather status reports from network device agents. All network equipment manufacturers install SNMP agents on their products. However, the agent is not always turned on by default. so it needs to be activated. There is no pre-installed SNMP Manager available, so it is usual to buy a network performance monitoring tool, which implements this role. Syslog is a log messaging standard that was originally designed for Unix and is still widely used in Linux distros and macOS. Software producers can also decide to use this standard. Syslog messages report on the statuses of software.
What is SNMP trap used for?
In the Simple Network Management Protocol (SNMP) device agents send a status report (called a MIB) when the central SNMP Manager asks for it. Between requests, the agent scans the device that it runs on for statuses. If the agent detects a problem, it is allowed to send out a MIB reporting this issue without having to wait for a request. This unrequested report is called an SNMP Trap message.
What is the difference between SNMP and SNMP trap?
SNMP is the Simple Network Management Protocol and it dictates a method of operation for a central SNMP Manager unit and agents that are installed on network devices. The SNMP Manager periodically broadcasts a request for reports. All agents listen for an SNMP request and respond by sending a report, called a management information base (MIB). The agent constantly scans the device that hosts it and if it finds a problem, it is able to send out a report without waiting for a request. This is called the SNMP Trap.
