nv-l
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: [nv-l] Off Topic: Cisco and Tivoli Integration

2002-05-30 15:27:47
Subject: RE: [nv-l] Off Topic: Cisco and Tivoli Integration
From: "Barr, Scott" <Scott_Barr AT csgsystems DOT com>
To: <nv-l AT lists.tivoli DOT com>
Date: Thu, 30 May 2002 14:27:47 -0500
Small typo in this - I mean to compare the router trap and the firewall trap but I mentioned a content switch trap by accident.
 
-----Original Message-----
From: Barr, Scott
Sent: Thursday, May 30, 2002 2:23 PM
To: 'nv-l AT lists.tivoli DOT com'
Subject: RE: [nv-l] Off Topic: Cisco and Tivoli Integration

Its even more scary than you think

Here is what those yokels at Cisco are doing now with firewalls and content switches......

First of all, EVERY trap from the content switches and the firewalls are syslog traps. Period.

Second of all, they don't even play by the same rules. Here are a couple of examples:

Firewall failover trap:

1019591095 3  Tue Apr 23 14:44:55 2002 ###.###.###.###              A clogMessageGenerated trap received from enterprise cisco-syslog with 5 arguments: clogHistFacility=20; clogHistSeverity=2; clogHistMsgName=Syslog Trap; clogHistMsgText=709003: (Primary) Beginning configuration replication: Send to mate.; clogHistTimestamp=383794600
Notice there is a variable clogHistMsgName and from a firewall, this message "name" is just "Syslog Trap" - the identifying characteristic is the 709003 in the closgHistMsgText. This number means that this syslog trap is for configuration replication. Okay, now look at the trap from a content switch:
 
Router Trap:
 
1021970438 7 Tue May 21 03:40:38 2002 ########.csgsystems.com A clogMessageGenerated trap received from enterprise cisco-syslog with 5 arguments: clogHistFacility=OSPF; clogHistSeverity=5; clogHistMsgName=DUP_RTRID_AS; clogHistMsgText=Detected router with duplicate router ID 10.255.255.4 in Type-4 LSA advertised by 10.255.255.3; clogHistTimestamp=379244423
 
Notice the clogHistMsgName here is NOT "Syslog Trap" as in the first example even though they both claim to be enterprise cisco-syslog traps. The identifying characteristic in the trap is NOT the first part of the clogHistMsgText as in the first example, but the clogHistMsgName. So if you are processing traps based on the presence of "Syslog Trap" you won't find in syslog traps under certain circumstances. Maybe the  "missing" traps use this exactly-the-same-but-different coding.
 
And while we are on the subject, don't try and use SNMP to get an interface table out of a backup firewall unless you are on PIX v6.2. Good lord.


-----Original Message-----
From: Allison, Jason (JALLISON) [mailto:JALLISON AT arinc DOT com]
Sent: Thursday, May 30, 2002 1:35 PM
To: 'nv-l'
Subject: RE: [nv-l] Off Topic: Cisco and Tivoli Integration


I would also be interested in hearing examples.  It seems a bit scary that
Cisco would write events to syslog but not send traps.

Thanks,


Jason Allison
Principal Engineer
ARINC Incorporated
Office:  (410) 266-2006
FAX:  (410) 573-3026



-----Original Message-----
From: Barr, Scott [mailto:Scott_Barr AT csgsystems DOT com]
Sent: Thursday, May 30, 2002 2:29 PM
To: nv-l AT lists.tivoli DOT com
Subject: RE: [nv-l] Off Topic: Cisco and Tivoli Integration


My experience says that I have not seen a syslog message on a router that is
not sent as a trap. Do you have an example? Does the router in question
support logging of various severity levels? What version IOS too would be
helpful.

-----Original Message-----
From: Scott Bursik [mailto:tivoliesm AT hotmail DOT com]
Sent: Thursday, May 30, 2002 11:20 AM
To: nv-l AT lists.tivoli DOT com
Subject: [nv-l] Off Topic: Cisco and Tivoli Integration



Group,


I have a question that is sort of off topic, but I am sure that someone in
this forum has some experience.

We are looking for a way to monitor messages coming from Cisco devices. We
have a central sislog running on a AIX box that all of the Cisco devices in
our network write to. We also receive some traps from the devices, but there
are syslog messages that are not traps that we are interested in. We are
trying to impliment a TEC syslog adapter but the limitations of the adapter
don't allow for the granularity that we are looking for. I was just wonderg
how other companies have implimented a Tivoli/Cisco solution.

Any information anyone could provide would be greatly appreciated.

Thank You,

Scott Bursik
Pepsico Business Solutions Group
scott.bursik AT pbsg DOT com

  _____ 

Join the world's largest e-mail service with MSN Hotmail. Click
<http://g.msn.com/1HM305401/47> Here
--------------------------------------------------------------------- To
unsubscribe, e-mail: nv-l-unsubscribe AT lists.tivoli DOT com For additional
commands, e-mail: nv-l-help AT lists.tivoli DOT com *NOTE* This is not an Offical
Tivoli Support forum. If you need immediate assistance from Tivoli please
call the IBM Tivoli Software Group help line at 1-800-TIVOLI8(848-6548)


---------------------------------------------------------------------
To unsubscribe, e-mail: nv-l-unsubscribe AT lists.tivoli DOT com
For additional commands, e-mail: nv-l-help AT lists.tivoli DOT com

*NOTE*
This is not an Offical Tivoli Support forum. If you need immediate
assistance from Tivoli please call the IBM Tivoli Software Group
help line at 1-800-TIVOLI8(848-6548)

[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: [nv-l] Off Topic: Cisco and Tivoli Integration, Barr, Scott
Next by Date:  RE: [nv-l] a question about Web Event browser, Dejan Mijailovic
Previous by Thread:  RE: [nv-l] Off Topic: Cisco and Tivoli Integration, Barr, Scott
Next by Thread:  RE: [nv-l] Off Topic: Cisco and Tivoli Integration, Allison, Jason (JALLISON)
Indexes:  [Date] [Thread] [Top] [All Lists]