Vunetrix Network Monitor vCloud

Vunetrix Manual: Monitoring Syslogs and SNMP Traps

Vunetrix is utilizable as a full scale syslog server and SNMP trap receiver. Every Vunetrix installation includes this functionality so no additional software is needed. This manual section describes a sample configuration for Vunetrix's syslog and SNMP trap receiver and gives you an idea about how to use these features.

Syslog is a well-established standard for computer message logging. Many network devices support sending syslogs to communicate informational, analysis, and debugging messages which are intended for network management and security auditing. SNMP traps are asynchronous notifications from SNMP-enabled devices and can be used to report important incidents and data, just like syslog messages. Devices trigger these messages for various reasons, such as system events, outages, critical conditions, and many more.

Vunetrix provides two dedicated sensor types which work as full scale syslog resp. SNMP trap receivers:

Because both the syslog and the trap receiver are implemented as common sensor types, you do not need to install software in addition to Vunetrix (for example, you do not need an extra syslog server but only the Vunetrix web server). You can create the Syslog Receiver as well as the SNMP Trap Receiver sensors in the usual Vunetrix way via the add sensor dialog. Then configure your syslog- or SNMP trap-enabled device(s) to send messages to Vunetrix.

Vunetrix is able to handle about 10,000 syslog and trap messages per second on a quad core desktop machine. You can filter the incoming messages by various parameters so that Vunetrix will process only specific messages and purge other data right away. Processed messages are stored in an internal high-performance database on the particular probe machine and are available for reviewing and analyzing via Vunetrix's web interface. The main limiting factor for Vunetrix's syslog and trap receivers is the hard disk space on the machine running the Vunetrix probe with these sensors.

Sample Configuration

Follow the steps below for a sample configuration of Syslog and SNMP Trap Receiver sensors. You can apply these instructions to both the SNMP Trap Receiver as well as the Syslog Receiver because the setup works in a similar way for both.

  1. Adding the Receivers
  2. Configure the Source Devices
  3. Collect Messages
  4. Review and Analyze Messages
  5. Refine the Filters
  6. Create Notification Triggers
     

Step 1: Add a Syslog Receiver or SNMP Trap Receiver sensor to Vunetrix.
Both sensor types inherit an implicit filter by the IP address of the parent device. So, on the one hand, it is possible to add these sensors to a probe device. Then you will receive all messages from the system running the probe and can optionally filter for specific sources later. On the other hand, you can add these sensors directly to the source device. Then only messages from this device will be processed.

Add the receiver sensors to the desired device in the common way, for example, via the device's context menu. We recommend leaving the sensor's default settings unchanged for the first configuration (port, include and exclude filter, warning and error filter) to see what data actually comes in.

Note: Adding the sensor to a network device directly will increase its speed in comparison to a filter definition in the sensor settings. Distributing Syslog and SNMP Trap Receiver sensors over different probes will make the overall performance scalable and gives you variability for the place of data storage.

Syslog Receiver Sensor in the Add Sensor Dialog

Syslog Receiver Sensor in the Add Sensor Dialog

 
Step 2: Configure your network device(s) which support sending syslogs or SNMP traps appropriately.
Configure your syslog or SNMP trap ready devices to send syslogs or traps (see documentations of the respective device vendors). They have to address the Vunetrix probe on which your Syslog or SNMP Trap Receiver sensor runs. So specify the IP address of the machine with the respective Vunetrix probe. If you keep your syslog or trap receiver's default settings, use the port 514.

Note: The protocol is User Datagram Protocol (UDP).

Default Sensor Settings: Sufficient for the First Configuration

Default Sensor Settings: Sufficient for the First Configuration

 
Step 3: Start collecting syslog or SNMP trap messages from your devices.
You do not have to accomplish any further configuration steps to use Vunetrix as a syslog server or SNMP trap receiver. When your device(s) send syslogs or SNMP traps to the specified Vunetrix probe machine, the messages will appear automatically in Vunetrix's web interface. After each sensor scan (by default inherited from the parent device), Vunetrix will count the received syslogs or traps in the according channels (total number of messages during the last interval, error and warning messages, or dropped packets).

Let the syslog receiver or the SNMP trap receiver collect data for a while to see what comes in. By default, the respective sensor will go into a Warning status if there was at least one message with severity 4 and into an Error status if there was at least one message with severity 3 or lower during the last sensor scan.

Note: Incoming messages are counted per scanning interval, so it might take a few moments to see the received syslogs/traps, depending on the remaining time until the next sensor scan. Of course, you can use Check Now via the sensor's context buttons to perform an immediate scan and see corresponding data. The sensor states are also defined per scan.
So, for example, a message which is classified as error will count for the error channel only for one scanning interval; if there is no new error message in the following scanning interval, no message is shown in the error channel anymore and the error status will disappear after the next sensor scan. The syslog or trap itself will still be accessible on the Messages tab.

Syslog Receiver Sensor with Error Messages

Syslog Receiver Sensor with Error Messages

 
Step 4: Review and analyze the collected data.
All incoming messages which match the include filter are processed and stored in Vunetrix's internal high-performance database. Review and analyze the received syslogs and traps via Vunetrix's web interface. For details, see the respective manual sections of SNMP Trap Receiver Sensor and Syslog Receiver Sensor. Then you can decide about further filtering of the incoming messages.

Note: The received data is also available in Vunetrix's data folder as common files. One data file is created per hour.

Note: For the SNMP Trap Receiver sensor, you can add the Management Information Base (MIB) files of your device(s) to the \MIB subfolder of Vunetrix. This will result in Object Identifier (OID) resolution and makes trap messages more comprehensible.

Received Syslogs on the Messages Tab

Received Syslogs on the Messages Tab

 
Step 5: (Optionally) refine the filters.
In order to enhance the productivity with your Vunetrix syslog servers and trap receivers, you can adjust the default filter settings. Vunetrix provides you a comprehensible formula system that you can use to describe which kind of messages you want to process and which of them will count as error or warning messages. You can configure the following filters for received messages in the settings of the respective receiver:

  • Include filter: Process and store specific types of messages only.
  • Exclude filter: Do not process specific types of messages and discard them.
  • Warning filter: Define rules to categorize received messages as warnings.
  • Error filter: Define rules to categorize received messages as errors.

Use the syntax which is provided in the corresponding manual sections to define your individual filter rules: SNMP Trap Receiver Sensor and Syslog Receiver Sensor.

Note: You can create filter rules with a few mouse clicks using the Advanced Filter on the Messages tab of a specific sensor and copy these rules into the sensor settings to apply them.

Advanced Filter Created on the Messages Tab

Advanced Filter Created on the Messages Tab

 
Step 6: (Optionally) create notification triggers.
By default, the warning and error channels of the Syslog and SNMP Trap Receiver sensors have a very low upper warning resp. error limit (0.00000001). The reason for this is that even when only one syslog or trap has been counted in the respective channel during a scanning interval, the overall status of the sensor will show this with the corresponding status. This way, you will always recognize if there is something wrong on the monitored system.

Because of this sensor behavior, best practice would be to add a State Trigger on the Notifications tab of the sensor if you want to get a notification when a warning or error message type comes in. Define a very low Down or Warning time condition to not miss any warnings or errors, for example 1 second; it has to be lower than the scanning interval in any case! Another option would be a Speed Trigger for notifications regarding messages per second.

State Trigger with a 1 Second Condition

State Trigger with a 1 Second Condition

 

Next Topic

Keywords: Note: