Network and Storage Protocols

Question about a syslog aggregator

adamgross

I'm looking for a solution that would allow me to take syslog output from all of my controllers to an external system.  I think I understand what my syslog.conf file needs to look like.  Where I'm stumped is picking add-ons or a replacement syslogd that would help with this.  In the end I'd like all messages to be logged to /etc/messages, also to the remote system, and then be searchable.  Any advice or nudges in the right direction would be greatly appreciated.  Thanks!

8 REPLIES 8

nitish

We are using  EventLog Analyzer from Manage Engine in a Enterprise account  ... it's very robust and reliable .... Performs the job very well.......

jeremypage

rsyslog (default in Ubuntu) will accept syslog messages and has an addon package what will let you dump the logs to a database for easier searching.

Also, depending on the size of your infrastructure you may want log servers per location & then have them forward to a central box only if the criticality warrants it.

Finally be aware that most of the time this stuff is over UDP so you can't rely on the messages making it off the filer & the data is unencrypted so be aware others can read your logging messages.

txskibum2000

yes...

*.*      @ipaddress of our syslog appliance

adamgross

I took a look at Splunk yesterday and pointed all of my controllers at it...  was very easy to setup and appears to do exactly what I'm after.

I'll check out LogLogic as well after I've played with Splunk for a few days.  Thanks for the recommendation txskibum2000.

txskibum2000

LogLogic will do this out of the box.  Very simple.  We are evaluating a LogLogic appliance now.  But, we are tring to setup CIFS auditing...not so easy!  If anyone can help, or know of a better solution, please, please advise.

Thanks!

BOBSIMPSON

We looked at LogLogic and Splunk (as well as several others) but ended up going with LogZilla which was easily 1/10 of the cost of Splunk and *way* less than LogLogic. In the end, we really like the very easy to use interface that logzilla offered versus the othe vendors - heck, even my manager uses it.lol.

There's a really good guide on Cisco's website that talks about syslog management techniques as well as some of the various tools. We found this link a while back and it has really helped us.

Building Scalable Syslog Management Solutions

http://www.cisco.com/en/US/technologies/collateral/tk869/tk769/white_paper_c11-557812.html#wp9000410

HTH!

adamgross

Something I ended up finding out that may be useful to the community in the future.  As it turns out, Splunk is free if you log less than 500mb of data per day.  In this particular environment that's the case.  You do lose multiple logins in the free version, but again that's okay in this particular environment.  I'll definitely keep LogZilla in mind though.

adamgross

Can you set syslog.conf to log locally and remotely?

*.info                                  /dev/console

*.info                                  /etc/messages

*.info                                  @hostname

Announcements
NetApp on Discord Image

We're on Discord, are you?

Live Chat, Watch Parties, and More!

Explore Banner

Meet Explore, NetApp’s digital sales platform

Engage digitally throughout the sales process, from product discovery to configuration, and handle all your post-purchase needs.

NetApp Insights to Action
I2A Banner
Public