RE: [nv-l] Off Topic: Cisco and Tivoli Integration

["Barr, Scott" <Scott_Barr@csgsystems.com>]

Its even more scary than you think

Here is what those yokels at Cisco are doing now with firewalls and content switches......

First of all, EVERY trap from the content switches and the firewalls are syslog traps. Period.

Second of all, they don't even play by the same rules. Here are a couple of examples:

Firewall failover trap:

1019591095 3  Tue Apr 23 14:44:55 2002 ###.###.###.###              A clogMessageGenerated trap received from enterprise cisco-syslog with 5 arguments: clogHistFacility=20; clogHistSeverity=2; clogHistMsgName=Syslog Trap; clogHistMsgText=709003: (Primary) Beginning configuration replication: Send to mate.; clogHistTimestamp=383794600

Notice there is a variable clogHistMsgName and from a firewall, this message "name" is just "Syslog Trap" - the identifying characteristic is the 709003 in the closgHistMsgText. This number means that this syslog trap is for configuration replication. Okay, now look at the trap from a content switch:

 

Router Trap:

 

1021970438 7 Tue May 21 03:40:38 2002 ########.csgsystems.com A clogMessageGenerated trap received from enterprise cisco-syslog with 5 arguments: clogHistFacility=OSPF; clogHistSeverity=5; clogHistMsgName=DUP_RTRID_AS; clogHistMsgText=Detected router with duplicate router ID 10.255.255.4 in Type-4 LSA advertised by 10.255.255.3; clogHistTimestamp=379244423

 

Notice the clogHistMsgName here is NOT "Syslog Trap" as in the first example even though they both claim to be enterprise cisco-syslog traps. The identifying characteristic in the trap is NOT the first part of the clogHistMsgText as in the first example, but the clogHistMsgName. So if you are processing traps based on the presence of "Syslog Trap" you won't find in syslog traps under certain circumstances. Maybe the  "missing" traps use this exactly-the-same-but-different coding.

 

And while we are on the subject, don't try and use SNMP to get an interface table out of a backup firewall unless you are on PIX v6.2. Good lord.

-----Original Message-----
From: Allison, Jason (JALLISON) [mailto:JALLISON@arinc.com]
Sent: Thursday, May 30, 2002 1:35 PM
To: 'nv-l'
Subject: RE: [nv-l] Off Topic: Cisco and Tivoli Integration


I would also be interested in hearing examples.  It seems a bit scary that
Cisco would write events to syslog but not send traps.

Thanks,


Jason Allison
Principal Engineer
ARINC Incorporated
Office:  (410) 266-2006
FAX:  (410) 573-3026



-----Original Message-----
From: Barr, Scott [mailto:Scott_Barr@csgsystems.com]
Sent: Thursday, May 30, 2002 2:29 PM
To: nv-l@lists.tivoli.com
Subject: RE: [nv-l] Off Topic: Cisco and Tivoli Integration


My experience says that I have not seen a syslog message on a router that is
not sent as a trap. Do you have an example? Does the router in question
support logging of various severity levels? What version IOS too would be
helpful.

-----Original Message-----
From: Scott Bursik [mailto:tivoliesm@hotmail.com]
Sent: Thursday, May 30, 2002 11:20 AM
To: nv-l@lists.tivoli.com
Subject: [nv-l] Off Topic: Cisco and Tivoli Integration



Group,


I have a question that is sort of off topic, but I am sure that someone in
this forum has some experience.

We are looking for a way to monitor messages coming from Cisco devices. We
have a central sislog running on a AIX box that all of the Cisco devices in
our network write to. We also receive some traps from the devices, but there
are syslog messages that are not traps that we are interested in. We are
trying to impliment a TEC syslog adapter but the limitations of the adapter
don't allow for the granularity that we are looking for. I was just wonderg
how other companies have implimented a Tivoli/Cisco solution.

Any information anyone could provide would be greatly appreciated.

Thank You,

Scott Bursik
Pepsico Business Solutions Group
scott.bursik@pbsg.com

  _____ 

Join the world's largest e-mail service with MSN Hotmail. Click
<http://g.msn.com/1HM305401/47> Here
--------------------------------------------------------------------- To
unsubscribe, e-mail: nv-l-unsubscribe@lists.tivoli.com For additional
commands, e-mail: nv-l-help@lists.tivoli.com *NOTE* This is not an Offical
Tivoli Support forum. If you need immediate assistance from Tivoli please
call the IBM Tivoli Software Group help line at 1-800-TIVOLI8(848-6548)


---------------------------------------------------------------------
To unsubscribe, e-mail: nv-l-unsubscribe@lists.tivoli.com
For additional commands, e-mail: nv-l-help@lists.tivoli.com

*NOTE*
This is not an Offical Tivoli Support forum. If you need immediate
assistance from Tivoli please call the IBM Tivoli Software Group
help line at 1-800-TIVOLI8(848-6548)