### On Wed, 20 Mar 2002 08:34:41 +0000, "Matt Duggan" ### <mattski27@hotmail.com> casually decided to expound upon nanog@merit.edu ### the following thoughts about "Trap and Syslog Query": MD> Q1. What do you think will be the percentage of 'useful' traps from a fault MD> management perspective? Of course it all depends upon what you are MD> interested in and what the network is doing but some thoughts about the MD> volume of useful traps and what those traps are would be really useful :) Everything is useful. |8^) You are right however in that it all depends on what you would consider critical, severe, informative. For instance, I would consider chassis alarms, link hard up/downs, BGP peer up/downs and adjacency failures to be immediately "useful" since they are directly related to correct operation of the network. Assuming a nominal state, you should be seeing zero of such useful traps. |8^) In practice, I would expect them to make up no more than 5% of your total traps unless you're having a REALLY bad day or suffering through a maintenance window. But again, it all depends on your network topology, how complex it is, what you're monitoring and what kind of services it's carrying (which ultimately defines the former criterias). Now if you extend your definition of "useful" to things like ACL violations then you might be seeing a lot of those (probably 80% of your traps). MD> Q2. Same question as Q1 but for syslog. In general, I think the answer to Q1 holds true for this question too. You might see some things in syslog which you won't see from traps however such as boot messages and this will skew the percentages but in general I think you get nearly a one-to-one relationship between the amount and type of inromation from syslog as from traps. Based upon your description of syslog collectors (distributed and thusn presumably closer to target devices) vs trap collector (central), I would expect you might get a slightly higher number of syslog messages overall due to UDP lossage of traps but of course, not knowing you topology and network loads that's just an off-the-cuff guess. MD> Q3. What do you expect the real figures to be based upon the network MD> operating normally and what, from your experience, are they likely to be MD> under fault conditions? I'm not sure I can provide an accurate answer to that. There are too many variables and unknowns [to me] about your network. MD> Q4. What, again from your experience, devices send the most traps and syslog MD> messages? - is it that a particular manufacturer are particularly trap-heavy MD> for example? I think it has more to do with the configuration of the snmp agent and/or syslog facility than any particular vendor or device type. It also has to do with what the device is doing. For instance, a dialup access server configured to log every user signon/signoff will probably generate more logging information than a core router configured to just log link alarms and adjacencies. In general, I would guess that customer facing devices would be more trap-heavy than core components. -- /*===================[ Jake Khuon <khuon@NEEBU.Net> ]======================+ | Packet Plumber, Network Engineers /| / [~ [~ |) | | --------------- | | for Effective Bandwidth Utilisation / |/ [_ [_ |) |_| N E T W O R K S | +=========================================================================*/