[c-nsp] Cisco boxes and Syslog-ng

Joost greene joost.greene at gmail.com
Wed Sep 7 10:32:23 EDT 2005


> 
> Are we talking about high volume or low volume (in lines per second) ?


Well, not a syslog experienced user myself, but i consider it high volume 
yes, around 25 NAS, 25 DSLAM, 100 small PoP and maybe 25 edge routers, high 
volume of lines because they will be sending each interface up/down

In general, assuming you define the same syslog severity and facility (log
> level) on your various Cisco routers, then it will include an identifier 
> of
> who sent the syslog entry. Now, syslog (regular, see NG below) accepts
> as out either files, or a pipe `|' to a script. Your script can then
> manipulate the entries, and write each to it's own file based on whatever
> you write in that script.


But wouldnt it be better, if i just filter as they come directly to a file 
with syslog-ng as others suggested.

Now, there are some differences in syslog flavours, so it depends on what
> architecture (OS) you're gonna run all this, and also, it depends on how
> many lines per second you're gonna be sending. If you're gonna be sending
> hundreds of lines per second, then the above needs to be redesigned a bit
> (see below). If you're not bombarding your syslog server, then the above 
> is
> fine.
> 
> If you're bombarding, then there are a few caveats:
> 
> 1). Syslog is UDP based. As such, if you lose a line, your Cisco thing 
> wont
> know about it and wont send it again.


With the above you suggest that i distribute the logs to diff. servers to 
make sure they are delivered or use TCP for syslog which i saw on syslog-ng 
but dont know if ciscos supports it.

2). Syslog in itself is very IO bound. As such, if you're gonna pipe it into
> some application, things are gonna get even worse. So, try writing
> whatever is that reads the pipe input in `C' or compiled perl or
> something efficient.
> 
> As for syslog-NG, there is the filter {} directive, which allows you to 
> catch
> a regular expression in the syslog line you receive, and send it to 
> wherever
> (including a file) based on that. The config file reminds me a bit of 
> BIND, or
> of Juniper if you may. Not such a nightmare as I expected. I dunno about
> performance though, as point 1. applies to syslog-NG as well.
> 
> 
> enjoy,
> 
> --Ariel
> --
> Ariel Biener
> e-mail: ariel at post.tau.ac.il
> PGP: http://www.tau.ac.il/~ariel/pgp.html
>


More information about the cisco-nsp mailing list