Its even more scary than you
think
Here is what those yokels at Cisco are doing now with firewalls
and content switches......
First of all, EVERY trap from the content
switches and the firewalls are syslog traps. Period.
Second of all,
they don't even play by the same rules. Here are a couple of
examples:
Firewall failover trap:
1019591095 3 Tue Apr 23 14:44:55
2002 ###.###.###.###
A clogMessageGenerated trap received from enterprise cisco-syslog with 5
arguments: clogHistFacility=20; clogHistSeverity=2;
clogHistMsgName=Syslog Trap; clogHistMsgText=709003:
(Primary) Beginning configuration replication: Send to mate.;
clogHistTimestamp=383794600
Notice there is a variable
clogHistMsgName and from a firewall, this message "name" is just "Syslog Trap"
- the identifying characteristic is the 709003 in the closgHistMsgText. This
number means that this syslog trap is for configuration replication. Okay, now
look at the trap from a content switch:
Router Trap:
1021970438 7 Tue May 21 03:40:38
2002 ########.csgsystems.com A clogMessageGenerated trap received from
enterprise cisco-syslog with 5 arguments: clogHistFacility=OSPF;
clogHistSeverity=5; clogHistMsgName=DUP_RTRID_AS;
clogHistMsgText=Detected router with duplicate router ID 10.255.255.4 in
Type-4 LSA advertised by 10.255.255.3;
clogHistTimestamp=379244423
Notice the clogHistMsgName here is
NOT "Syslog Trap" as in the first example even though they both claim to be
enterprise cisco-syslog traps. The identifying characteristic in the trap is
NOT the first part of the clogHistMsgText as in the first example, but the
clogHistMsgName. So if you are processing traps based on the presence of
"Syslog Trap" you won't find in syslog traps under certain circumstances.
Maybe the "missing" traps
use this exactly-the-same-but-different coding.
And while we are on the subject,
don't try and use SNMP to get an interface table out of a backup firewall
unless you are on PIX v6.2. Good lord.
-----Original Message-----
From: Allison, Jason
(JALLISON) [mailto:JALLISON@arinc.com]
Sent:
Thursday, May 30, 2002 1:35 PM
To: 'nv-l'
Subject: RE: [nv-l] Off Topic:
Cisco and Tivoli Integration
I would also be interested in hearing
examples. It seems a bit scary that
Cisco would write events to
syslog but not send traps.
Thanks,
Jason
Allison
Principal Engineer
ARINC Incorporated
Office: (410)
266-2006
FAX: (410) 573-3026
-----Original
Message-----
From: Barr, Scott [mailto:Scott_Barr@csgsystems.com]
Sent:
Thursday, May 30, 2002 2:29 PM
To: nv-l@lists.tivoli.com
Subject: RE:
[nv-l] Off Topic: Cisco and Tivoli Integration
My experience says
that I have not seen a syslog message on a router that is
not sent as a
trap. Do you have an example? Does the router in question
support logging
of various severity levels? What version IOS too would
be
helpful.
-----Original Message-----
From: Scott Bursik [mailto:tivoliesm@hotmail.com]
Sent:
Thursday, May 30, 2002 11:20 AM
To: nv-l@lists.tivoli.com
Subject:
[nv-l] Off Topic: Cisco and Tivoli
Integration
Group,
I have a question that is sort of
off topic, but I am sure that someone in
this forum has some
experience.
We are looking for a way to monitor messages coming from
Cisco devices. We
have a central sislog running on a AIX box that all of
the Cisco devices in
our network write to. We also receive some traps from
the devices, but there
are syslog messages that are not traps that we are
interested in. We are
trying to impliment a TEC syslog adapter but the
limitations of the adapter
don't allow for the granularity that we are
looking for. I was just wonderg
how other companies have implimented a
Tivoli/Cisco solution.
Any information anyone could provide would be
greatly appreciated.
Thank You,
Scott Bursik
Pepsico Business
Solutions Group
scott.bursik@pbsg.com
_____
Join
the world's largest e-mail service with MSN Hotmail. Click
<http://g.msn.com/1HM305401/47>
Here
---------------------------------------------------------------------
To
unsubscribe, e-mail: nv-l-unsubscribe@lists.tivoli.com For
additional
commands, e-mail: nv-l-help@lists.tivoli.com *NOTE* This is not
an Offical
Tivoli Support forum. If you need immediate assistance from
Tivoli please
call the IBM Tivoli Software Group help line at
1-800-TIVOLI8(848-6548)
---------------------------------------------------------------------
To
unsubscribe, e-mail: nv-l-unsubscribe@lists.tivoli.com
For additional
commands, e-mail: nv-l-help@lists.tivoli.com
*NOTE*
This is not an
Offical Tivoli Support forum. If you need immediate
assistance from Tivoli
please call the IBM Tivoli Software Group
help line at
1-800-TIVOLI8(848-6548)