Subscribe

Question about a syslog aggregator

I'm looking for a solution that would allow me to take syslog output from all of my controllers to an external system.  I think I understand what my syslog.conf file needs to look like.  Where I'm stumped is picking add-ons or a replacement syslogd that would help with this.  In the end I'd like all messages to be logged to /etc/messages, also to the remote system, and then be searchable.  Any advice or nudges in the right direction would be greatly appreciated.  Thanks!

Question about a syslog aggregator

LogLogic will do this out of the box.  Very simple.  We are evaluating a LogLogic appliance now.  But, we are tring to setup CIFS auditing...not so easy!  If anyone can help, or know of a better solution, please, please advise.

Thanks!

Question about a syslog aggregator

Can you set syslog.conf to log locally and remotely?

*.info                                  /dev/console

*.info                                  /etc/messages

*.info                                  @hostname

Question about a syslog aggregator

yes...

*.*      @ipaddress of our syslog appliance

Question about a syslog aggregator

I took a look at Splunk yesterday and pointed all of my controllers at it...  was very easy to setup and appears to do exactly what I'm after.

I'll check out LogLogic as well after I've played with Splunk for a few days.  Thanks for the recommendation txskibum2000.

Question about a syslog aggregator

We looked at LogLogic and Splunk (as well as several others) but ended up going with LogZilla which was easily 1/10 of the cost of Splunk and *way* less than LogLogic. In the end, we really like the very easy to use interface that logzilla offered versus the othe vendors - heck, even my manager uses it.lol.

There's a really good guide on Cisco's website that talks about syslog management techniques as well as some of the various tools. We found this link a while back and it has really helped us.

Building Scalable Syslog Management Solutions

http://www.cisco.com/en/US/technologies/collateral/tk869/tk769/white_paper_c11-557812.html#wp9000410

HTH!

Question about a syslog aggregator

Something I ended up finding out that may be useful to the community in the future.  As it turns out, Splunk is free if you log less than 500mb of data per day.  In this particular environment that's the case.  You do lose multiple logins in the free version, but again that's okay in this particular environment.  I'll definitely keep LogZilla in mind though.

Re: Question about a syslog aggregator

rsyslog (default in Ubuntu) will accept syslog messages and has an addon package what will let you dump the logs to a database for easier searching.

Also, depending on the size of your infrastructure you may want log servers per location & then have them forward to a central box only if the criticality warrants it.

Finally be aware that most of the time this stuff is over UDP so you can't rely on the messages making it off the filer & the data is unencrypted so be aware others can read your logging messages.

Re: Question about a syslog aggregator

We are using  EventLog Analyzer from Manage Engine in a Enterprise account  ... it's very robust and reliable .... Performs the job very well.......