Skip to content

Receiving Logs & Traps

A collector is how your devices’ logs and traps get into GridNMS. Point a device at a collector’s address on the right port, and the collector receives the messages, ships them up GridNMS, and they become searchable and alertable.

Every collector listens for the two most common formats out of the box, and you can enable additional, more capable listeners per collector when you need them.

The Collectors page with a collector open. Open a collector under Configure → Collectors to manage how it receives logs.

Every collector accepts these two with no configuration:

What Port Used by
Syslog over UDP 514 (UDP) Switches, routers, firewalls, servers, Linux/Unix hosts — the standard for almost everything.
SNMP traps 162 (UDP) Network gear sending event notifications (link down, fan failure, and so on).

For most networks, this is all you need: configure each device to send its syslog to the collector’s IP on port 514, and its SNMP traps to the collector’s IP on port 162.

Plain UDP syslog is simple and lightweight, but it has trade-offs: UDP can silently drop messages under heavy load, and it isn’t encrypted. For environments that need guaranteed delivery, encryption in transit, or HTTP-based sources, a collector can run additional listeners.

Open the collector under Configure → Collectors and look for the log ingestion settings. Each advanced listener has an enable toggle and a port you can set.

Reliable delivery. TCP syslog uses a connection-oriented transport, so messages aren’t silently dropped the way they can be with UDP when a device or the network gets busy. It also handles larger messages cleanly.

  • Enable the TCP syslog listener and set its port (a common choice is 601).
  • Point devices that support TCP syslog at the collector’s address on that port.

Choose this when: you’re seeing dropped messages under load, you have chatty devices, or you simply want delivery you can count on.

Option Delivery Encrypted Best for
UDP syslog (514) Best-effort (can drop under load) No The default — simple, low overhead, works everywhere.
SNMP traps (162) Best-effort No Event notifications from network hardware.
TCP syslog Reliable No High-volume or critical devices where no message should be lost.
TLS syslog Reliable Yes Logs crossing untrusted networks; compliance needs.
HTTP Event Collector Reliable Yes Apps and cloud sources that POST events over HTTPS.

Whichever option you use, the steps are the same shape:

  1. Find the collector’s address (its hostname or IP on the network your devices can reach).
  2. Pick the port for the transport you’ve enabled (514 for UDP syslog, 162 for traps, or the port you set for TCP/TLS/HEC).
  3. Configure the device’s logging or trap destination to that address and port.
  4. Generate some activity on the device, then confirm the messages show up in Logs & Log Search.

If nothing arrives, check the collector’s Channels tab — the logging channel shows the live receive rate, so you can tell whether messages are reaching the collector at all. See Collector Channels.