[nsp] Syslog best practices.

brett watson brett at the-watsons.org
Fri Jan 24 08:40:00 EST 2003


On Friday, Jan 24, 2003, at 08:22 America/Phoenix, James Kilton wrote:

> I'm preparing to deploy a few Syslog servers to
> receive logs from our Cisco devices, and I'm wondering
> how people typically handle having only 8 Syslog
> facilities to use per server when there are more than
> 8 Cisco devices on the network.  Do you just have all
> Cisco devices write to the same file?  Do you split it
> up randomly?  Or maybe have 1 file per criticality
> level?

just identify your devices with proper, meaningful names and turn on 
timestamping with milliseconds (and use NTP for time sync on all 
devices *and* the syslog host).

you could parse certain types of messages to different log files but if 
you break things down too far, you'll spend your time trying to 
correlate log messages between multiple files when you really have a 
problem.  i've always found it easier to correlate from one log file.

then again, the size of your network dictate that you split things into 
multiple logs.

-b



More information about the cisco-nsp mailing list