[nsp] Syslog best practices.

Fri Jan 24 10:33:44 EST 2003

From: James Kilton [mailto:kilton9 at yahoo.com]
> Sent: January 24, 2003 10:23
> To: cisco-nsp at puck.nether.net
> Subject: [nsp] Syslog best practices.

> I'm preparing to deploy a few Syslog servers to
> receive logs from our Cisco devices, and I'm wondering
> how people typically handle having only 8 Syslog
> facilities to use per server when there are more than
> 8 Cisco devices on the network.  Do you just have all
> Cisco devices write to the same file?  Do you split it
> up randomly?  Or maybe have 1 file per criticality
> level?

On freebsd, I have 1 file per router:

+LTSP.phaedrus.sandvine.com
!*
*.*                                             /var/log/ltsp.log
+CCS2.phaedrus.sandvine.com
!*
*.*                                             /var/log/ccs2.log

this puts all messages from the router in the same file.
You could go further and split by severity by router.

I then put these files into /etc/newsyslog.conf for log rotation:
/var/log/ltsp.log                       644  5     1000 *     Z
/var/log/ccs2.log                       644  5     1000 *     Z

so they don't grow forever.