[nsp] Syslog best practices.
brett watson
brett at the-watsons.org
Fri Jan 24 08:40:00 EST 2003
On Friday, Jan 24, 2003, at 08:22 America/Phoenix, James Kilton wrote:
> I'm preparing to deploy a few Syslog servers to
> receive logs from our Cisco devices, and I'm wondering
> how people typically handle having only 8 Syslog
> facilities to use per server when there are more than
> 8 Cisco devices on the network. Do you just have all
> Cisco devices write to the same file? Do you split it
> up randomly? Or maybe have 1 file per criticality
> level?
just identify your devices with proper, meaningful names and turn on
timestamping with milliseconds (and use NTP for time sync on all
devices *and* the syslog host).
you could parse certain types of messages to different log files but if
you break things down too far, you'll spend your time trying to
correlate log messages between multiple files when you really have a
problem. i've always found it easier to correlate from one log file.
then again, the size of your network dictate that you split things into
multiple logs.
-b
More information about the cisco-nsp
mailing list