SNMP and syslogd

Logging is a critical task to perform on your network so you can perform baseline analysis and periodically check up for potential trouble. Most network equipment has SNMP (simple network management protocol) capabilities to send messages about various events that occur. But where to send them?

A cheap and easy way to handle SNMP is to send the messages to a Linux box running snmptrapd, which can log all the events. Simply install "net-snmp" tools, either from source or package and configure to run at your standard run levels for background services. One trick is isolating the messages from all the other messages on your system. To do this, change the startup options for the daemon to "-Ls0 -p /var/run/snmptrapd.pid". By default this would read -Lsd which causes the default message log to be used, which can be very crowded. By sending to log "local0" you can then edit syslog.conf and add:


# SNMP trap
local0.* /var/log/snmptrapd.log

This will log "local0" to snmptrapd.log. From there you can use a tool like filter-syslog to find the "interesting" events that occur. There may also be a way to directly detect snmptrapd messages using something like "snmptrapd.*" with the default logging option to snmptrapd, but the obvious choices ("snmp", "snmpv2", "snmptrap", "snmptrapd") did not work.

Category: