Increased regulations are driving companies to implement an enterprise Security Information and Event Management solution (SIEM) using the syslog protocol. As a result, syslog has received a lot more attention than the Simple Network Management Protocol (SNMP) protocol lately. While SNMP is still prevalent in the market, there has been a definite shift towards syslog in recent years. The shift is likely because SNMP is geared more towards automation while syslog is geared more towards security, both of which are important when monitoring your IBM i environment.
While security is definitely a hot topic, automation is also important. Being proactive not only can decrease problem resolution time, it can increase system availability. This is why it’s important for IT departments to find an SIEM or monitoring solution which provides support for both the SNMP and syslog formats.
Let’s look at the differences between SNMP and syslog and how they can be used together to provide a more complete audit trail and to be more proactive in your IBM iSecurity & systems management.
What is SNMP and syslog?
Simple Network Management Protocol (SNMP) was developed to allow for the remote monitoring of network devices over IP networks. SNMP is used for collecting information from network devices like routers, switches and for Windows and IBM Power Systems, and it can also be used for configuration and modification. Using SNMP, companies are able to trap messages inside SIEM or Monitoring solutions and alert someone when a specific message is received. Since SNMP can also be used to modify a device, companies have the ability to respond to a particular message to correct the problem, which supports automation.
Syslog is a cross-platform standard for system event message logging. Syslog defines a standard agent for collecting system event information for a variety of systems, devices, appliances, and network equipment and storing it onto a central syslog server. Using an SIEM solution companies are able to easily analyze the syslog data and can be alerted to critical events. Unlike SNMP, syslog does not have the ability to support a response back to the offending device or server.
What are the Key Differences between SNMP and syslog?
Here are the key differences between SNMP and syslog:
- Real time notification versus historical data – SNMP was developed to alert you in real time to an event. Syslog was developed to provide a way to centralize log information for historical purposes.
- Pull versus push – SNMP sends a request to the device looking for information, while the syslog server simply is a repository of information which can then be queried to retrieve more detailed information.
- Reliability – Syslog devices cannot ensure that their message reaches the syslog server. SNMP is polling the device to get information and therefore cannot lose data.
- Proactive versus reactive – SNMP can respond to a trap and take some action. Syslog can’t do that.
- Status change or detailed information– SNMP alerts to a change in a status, such as a line is now unavailable. Syslog can include more detail about why something occurred.
- Secure versus insecure – SNMP messages are secure and cannot be tampered with. While Syslog is insecure, and the messages can be tampered with.
SNMP & syslog for improved security and system health
Despite the push for increased security, companies also want to improve their automation. SNMP allows companies to be proactive in responding to system health issues, which is critical for system availability and performance. SNMP offers the ability to poll for a specific event and react based on the response. If an event occurs, you can actually take steps to correct it. A huge win for the business.
With syslog, companies can centralize all of their audit information in one place. This is especially useful for producing audit reports. Then they can use monitoring solutions like AbsMessage to alert someone when a specific message is received or to automatically initiate a response, ensuring that security threats are responded to in real time, mitigating risk.
The good news is that you don’t have to choose between SNMP and syslog. You can choose whichever protocol meets your needs or current monitoring setups. The key is to find monitoring solutions that support both SNMP and syslog formats in order to increase the security, health and performance of your IBM i.
At SEA, we provide SIEM and monitoring solutions such as SEA’s iSecurity Audit and AbsMessage, which work with both protocols. Please feel free to contact us for more information about SNMP and syslog monitoring.
