FW: [nsp] Syslog best practices.

Colm MacCarthaigh colm.maccarthaigh at heanet.ie
Fri Jan 24 15:46:22 EST 2003 

James,

Allthough the the version of syslog most vendors ship is indeed
facility based, this generally isnt considered the most optimal
solution when you start logging a large ammount of hosts as you've
found!

The best solution we've found is syslog-ng, which you can find
here:

	http://www.balabit.hu/en/downloads/syslog-ng/

It has the ability to seperate logs based on a large ammount
of factors. Most usefully the origin IP address (though currently
limited to IPv4, it's being worked on) of the syslog message,
and a Regular Expression based on the content of the message.

This makes it possible to seperate logs on a priority basis and
a per-host basis. Here in HEAnet we seperate on a per-host basis,
though we also let all of our routers log to a single file
which we find useful to monitor for noticable events. We currently
monitor 40 hosts. 

In multi-homed or multi-pop situations it is also possible to
use syslog-ng as a a proxy, forwarding logs to a central server
using TCP which is more reliable than UDP. This gives the
added bonus of spooling during network outages, rather than
simply losing what are usually critical logs.

Generally our syslog-ng config looks as follows:

source remote_src { udp(); };

# a filter based on reverse dns
filter andel_in { host(Andel); };

destination andel_out { 
        file("/syslogs/andel" sync(0) perm(0644) log_fifo_size(10));
};

log { source(remote_src); filter(andel_in); destination(andel_out); };


so it's quiet intiuitive to add hosts. In addition to splitting
up files, it is also important to consider archival and backups.
We backup once per week, due to the ascii nature of syslogs,
they compress extremely well, and disk requirements are extremely
low. 


> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net
> [mailto:cisco-nsp-bounces at puck.nether.net]On Behalf Of James Kilton
> Sent: Friday, January 24, 2003 3:23 PM
> To: cisco-nsp at puck.nether.net
> Subject: [nsp] Syslog best practices.
> 
> 
> I'm preparing to deploy a few Syslog servers to
> receive logs from our Cisco devices, and I'm wondering
> how people typically handle having only 8 Syslog
> facilities to use per server when there are more than
> 8 Cisco devices on the network.  Do you just have all
> Cisco devices write to the same file?  Do you split it
> up randomly?  Or maybe have 1 file per criticality
> level?
> 
> Any advice would be appreciated.
> 
> __________________________________________________
> Do you Yahoo!?
> Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
> http://mailplus.yahoo.com

-- 
Colm MacCárthaigh  /   HEAnet, Brooklawn House,     /     Network Engineer
+353 1 6609040    /  Shelbourne Road, Dublin, IE   /   http://www.hea.net/

More information about the cisco-nsp mailing list