A comparison of syslog and IS-IS for network failure analysis

Abstract

Accurate reporting and analysis of network failures has historically required instrumentation (e.g., dedicated tracing of routing protocol state) that is rarely available in practice. In previous work, our group has proposed that a combination of common data sources could be substituted instead. In particular, by opportunistically stitching together data from router configuration logs and syslog messages, we demonstrated that a granular picture of network failures could be resolved and verified with human trouble tickets. In this paper, we more fully evaluate the fidelity of this approach, by comparing with high-quality "ground truth" data derived from an analysis of contemporaneous IS-IS routing protocol messages. We identify areas of agreement and disparity between these data sources, as well as potential ways to correct disparities when possible.