The difference between SNMP TRAP and syslog in log acquisition mode

absrtact : Log files can record the various events occurring every day in detail, which plays an important role in network security. Network Center has a large number of security devices, it is very time-consuming and laborious to view all the security devices individually. In addition, because the security device's cache in the first-out queue mode to process the log records, the record is not long save time will be refreshed, some important log records can ...

Log files are capable of documenting the various events that occur every day in the system, which plays an important role in network security. Network Center has a large number of security devices, it is very time-consuming and laborious to view all the security devices individually. In addition, because the cache of the security appliance processes logging in FIFO-first-out queue mode, records that are not kept for a long time will be refreshed and some important log records may be overwritten. Therefore, in daily network security management should establish a set of effective log data collection methods, all security equipment log records summary, easy to manage and query, extract useful log information for network security management use, timely found about security equipment in the process of security problems, In order to better ensure the network uptime.

Comparison of acquisition techniques

Network management commonly used to collect log data, including text mode acquisition, SNMP trap mode acquisition and Syslog mode acquisition, in addition, other acquisition methods, such as Telnet acquisition (Remote control command acquisition), serial port acquisition. How to choose a more appropriate technical way to log data collection is the first consideration, the following is the main log data acquisition technology for a simple analysis.

text Mode

In the unified security management system, the textual acquisition of log data mainly refers to mail or FTP mode. e-mail means to set the alarm or notification conditions in the security device, when the conditions of the event occurs, the relevant situation is recorded, and then at a certain time by the security device or system to actively send these log messages to the recipient of the message, belonging to the passive acquisition of log data mode. The log information is usually transmitted in text, with relatively little information being transmitted and required to be understood by a professional. And the FTP method must be developed in advance specific acquisition procedures for log data collection, each connection is a complete download of the entire log text file, the network transmission data volume may be very large, belonging to the active acquisition of log data mode.

With the rapid development of the network, the network internal to hundred trillion, gigabit or even million trillion connected, even take the powerful computer to handle the collection of log data packets, relatively speaking, the above two ways of speed and efficiency is unsatisfactory. Therefore, the text method can only be used in the network with small range and slow speed of collecting log data, which is generally not used in network security management.

SNMP Trap Mode

Based on the network management of Simple Network Management Protocol SNMP, SNMP trap is SNMP MIB, because the SNMP MIB defines what information the device can be collected, which trap trigger conditions can be defined, only events that meet the trap trigger conditions are sent. It is common to use SNMP Trap mechanisms for log data collection. Events that generate trap messages, such as system restarts, are defined internally by the trap proxy and not by the universal format. Because the trap mechanism is event-driven, the agent notifies the management system only when the supervisor hears the failure, and the non-fault information is not notified to the management system. For this method of log data acquisition can only be done under SNMP, the generated message format is defined separately, for the non-support SNMP device commonality is not very strong.

Some of the network equipment fault log information, such as environment, SNMP access failure and other information is reported by the SNMP trap, through the SNMP data packet interpretation of the Trap field value can obtain a network device important information, This shows that the management process must be able to fully and correctly interpret the trap data sent by various devices on the network, in order to complete the information monitoring and data collection of network equipment.

However, due to the diversity of network structure and network technology, and the different means of managing its network equipment, the network management system is required not only to interpret the public Trap correctly, but also to understand the private parts of different vendors ' network devices so as to correctly resolve the private traps sent by different manufacturers ' network devices. It is also necessary to work closely with manufacturers to develop joint technologies to ensure that the private Trap is fully and correctly parsed and applied. This causes the way to face the different manufacturers of product acquisition log data method needs to be programmed separately, and to fully explain all the log information in order to effectively capture the log data. This shows that the acquisition in the daily log data collection is not strong universality.

syslog mode

The System log (syslog) protocol, which has become an industry standard protocol, was developed in the implementation of the TCP/IP system at the California University's Berkley Software Distribution Research Center (BSD) and is currently used to record device logs. In routers, switches, servers and other network equipment, Syslog records any event in the system, the manager can check the system records, keep abreast of system conditions. It is capable of receiving log records from remote systems, processing records containing multiple systems in a single log, and filing them as files. You can view all the records in one place without having to connect to multiple systems at the same time. The syslog uses UDP as the transport protocol, sending the log management configuration of all security devices to the log server that has the Syslog software system installed through the destination port 514 (or other defined port number), and the Syslog log server automatically receives the log data and writes it to the log file.

In addition, the use of syslog to collect log data is very convenient, and has the following reasons:

First, syslog protocol is widely used in programming, many log functions have adopted the SYSLOG protocol, Syslog is used in many protection measures. Any event can be logged through it. Record the health of a user-developed application through system calls. The research and development of some system programs is one of the key points of the log system, for example, the network device log function calls and logs the important behavior of the network application to the Syslog interface, and most of the internal system tools (such as mail and printing systems) generate information so many new programs ( such as tcpwrappers and SSH) are working as well. by SYSLOGD (The daemon responsible for most system events), a system event can be written to a file or device, or a message is sent to the user. It can log events on the ground or over the network to remote devices.

Second, today's network devices generally support the Syslog protocol. Almost all network devices can pass the Syslog protocol, the log information is transmitted to the remote server by the User Datagram Protocol (UDP), the remote receiving log server must listen to UDP port 514 through SYSLOGD, and according to The configuration in the syslog.conf configuration file handles this machine, receives the log information of the access system, writes the specified event to a specific file, and is used by the backend database for administration and response. means that any event can be logged on to one or more servers in case the backend database uses the off-line (offline) method to analyze the events of the remote device.

Thirdly, the basic principle of the Syslog protocol and process is simplicity, which does not require strict coordination between the sender and receiver of the Protocol. In fact, the delivery of syslog information can begin without the receiver being configured or even without a receiver. Conversely, the receiver can receive information without a clear configuration or definition. (Network reprint, original source unknown)