I'm looking for a solution that would allow me to take syslog output from all of my controllers to an external system. I think I understand what my syslog.conf file needs to look like. Where I'm stumped is picking add-ons or a replacement syslogd that would help with this. In the end I'd like all messages to be logged to /etc/messages, also to the remote system, and then be searchable. Any advice or nudges in the right direction would be greatly appreciated. Thanks!
rsyslog (default in Ubuntu) will accept syslog messages and has an addon package what will let you dump the logs to a database for easier searching.
Also, depending on the size of your infrastructure you may want log servers per location & then have them forward to a central box only if the criticality warrants it.
Finally be aware that most of the time this stuff is over UDP so you can't rely on the messages making it off the filer & the data is unencrypted so be aware others can read your logging messages.
I took a look at Splunk yesterday and pointed all of my controllers at it... was very easy to setup and appears to do exactly what I'm after.
I'll check out LogLogic as well after I've played with Splunk for a few days. Thanks for the recommendation txskibum2000.
LogLogic will do this out of the box. Very simple. We are evaluating a LogLogic appliance now. But, we are tring to setup CIFS auditing...not so easy! If anyone can help, or know of a better solution, please, please advise.
We looked at LogLogic and Splunk (as well as several others) but ended up going with LogZilla which was easily 1/10 of the cost of Splunk and *way* less than LogLogic. In the end, we really like the very easy to use interface that logzilla offered versus the othe vendors - heck, even my manager uses it.lol.
There's a really good guide on Cisco's website that talks about syslog management techniques as well as some of the various tools. We found this link a while back and it has really helped us.
Building Scalable Syslog Management Solutions
Something I ended up finding out that may be useful to the community in the future. As it turns out, Splunk is free if you log less than 500mb of data per day. In this particular environment that's the case. You do lose multiple logins in the free version, but again that's okay in this particular environment. I'll definitely keep LogZilla in mind though.