Customers frequently ask questions about the necessity of Syslog. “I have turned SNMP on and am collecting SNMP stats and alerts. Isn’t that enough?” It depends.
The first answer is relatively simple; if you are monitoring solely for up/down status, well known error conditions, some performance parameters and high-level troubleshooting, then SNMP will address your needs.
However, to understand individual device to device or user to device transactions at a highly detailed level then it is advisable to enable Syslog and collect the messages generated by each device.
While most networking devices support SNMP and virtually all network management solutions use SNMP as their main mechanism to provide status of networked devices, SNMP can be limited in scope compared to Syslog. For example, a large Cisco switch may have over 6,000 different Syslog event messages and the specific SNMP MIB for the device supports approximately 90 trap notifications.
Would you rather have 6,000 different types of events to monitor through Syslog or 90 through SNMP?
While 6,000 different events may seem daunting, some of the lower level informational or debug messages can be filtered out for reporting and analysis, but still stored as part of a Syslog log management strategy. The good news here is that customers can now have the best of both worlds.