[c-nsp] Cisco boxes and Syslog-ng

Ariel Biener ariel at post.tau.ac.il
Wed Sep 7 10:24:50 EDT 2005 

On Wednesday 07 September 2005 16:24, Joost greene wrote:
> Hello,
>
> I have different sets of devices, dslams, nas, core routers, customer
> routers,...
>
> i want to syslog them all, i want to make each device log to a file
> separately to ease it up for NOC, someone suggested syslog-ng, frankly, i
> got quickly lost in its docs, the syntax isnt clear, how can i just easily
> specify to let it log per source into different files ?

Are we talking about high volume or low volume (in lines per second) ?
In general, assuming you define the same syslog severity and facility (log
level) on your various Cisco routers, then it will include an identifier of
who sent the syslog entry. Now, syslog (regular, see NG below) accepts
as out either files, or a pipe `|' to a script. Your script can then
manipulate the entries, and write each to it's own file based on whatever
you write in that script.

Now, there are some differences in syslog flavours, so it depends on what
architecture (OS) you're gonna run all this, and also, it depends on how
many lines per second you're gonna be sending. If you're gonna be sending
hundreds of lines per second, then the above needs to be redesigned a bit
(see below). If you're not bombarding your syslog server, then the above is
fine. 

If you're bombarding, then there are a few caveats:

1). Syslog is UDP based. As such, if you lose a line, your Cisco thing wont
     know about it and wont send it again.
2). Syslog in itself is very IO bound. As such, if you're gonna pipe it into
      some application, things are gonna get even worse. So, try writing
      whatever is that reads the pipe input in `C' or compiled perl or 
      something efficient.

As for syslog-NG, there is the filter {} directive, which allows you to catch
a regular expression in the syslog line you receive, and send it to wherever
(including a file) based on that. The config file reminds me a bit of BIND, or
of Juniper if you may. Not such a nightmare as I expected. I dunno about
performance though, as point 1. applies to syslog-NG as well.


enjoy,

--Ariel 
 --
 Ariel Biener
 e-mail: ariel at post.tau.ac.il
 PGP: http://www.tau.ac.il/~ariel/pgp.html

More information about the cisco-nsp mailing list