Syslog

LynK · November 20, 2015, 12:40:24 PM

We have been working on some solutions with syslog, and we tried kiwi (to the recommendation of some of those here) and it is atrocious. Down right abysmal. We are currently demoing logzilla, and I HIGHLY recommend everyone give it a try. It is amazing. We are really enjoying it, and by the way they have 25% off promotion until the end of December.

EOS · November 20, 2015, 01:17:15 PM

We haven't had any issues with SPLUNK. Not sure what your requirements are though.

icecream-guy · November 20, 2015, 02:22:21 PM

no probs here with syslogd, with a bit of creative scripting to bzip daily logs and clean up the log directories.
search for things via grep

packetherder · November 20, 2015, 05:51:16 PM

Graylog, ELK stack, or splunk if you're made of money.

wintermute000 · November 20, 2015, 06:25:36 PM

splunk. It probably is the largest scaling solution out there (AWS.... we have sold it and developed packages for banks etc. - its really more of a database than a syslog solution)

LynK · November 23, 2015, 09:47:38 AM

My biggest stink is I have yet to see a syslog provider give you the ability to have separate panels with device filters, so I can have one for my MPLS routers, MPLS switches, HQ Access, HQ DC, Firewall, etc.

it would be so nice.

wintermute000 · November 23, 2015, 04:09:59 PM

You can do it ghetto style using facilities as categories

deanwebb · January 21, 2016, 04:38:14 PM

Gravedig because I'm in charge of finding a syslog for the network team at my work. Need a solution for a global company with about 500 locations, 4 of which are massive data centers. Need to look at HP Arcserve and Splunk, but will also get to look at 2-3 others. We need something with a really easy to use front end so our level 1/level 2 people can use it within 15-30 minutes of being told that they're going to do some work with syslog.

wintermute000 · January 21, 2016, 05:26:59 PM

Splunk is awesome but for large deployments it's typically used as a db to a custom front end or monitoring solution
We have an entire ps department who do nothing but program splunk

deanwebb · January 21, 2016, 05:34:27 PM

Quote from: wintermute000 on January 21, 2016, 05:26:59 PM
Splunk is awesome but for large deployments it's typically used as a db to a custom front end or monitoring solution
We have an entire ps department who do nothing but program splunk

Why do the front ends need to be customized? Is that missing in splunk, or is that just pretty standard in any syslog product to have to customize front ends?

wintermute000 · January 21, 2016, 06:03:56 PM

the splunk front end is pretty generic - its actually regarded more as a general purpose unstructured DB (no schema) that is wicked fast than a pure syslog product, though syslog is one of its common applications

It does work fine IMO but you have to basically curate filter/query templates and know how to tweak them. Not tried automating reports or alerts etc. but I'd imagine thats a big part of custom integrations. I've only really driven the free version (limited to 10k a day or something like that)

There's a whole ecosystem of products now though, I'd recommend talking to a splunk consultancy to get the max value. BUt I can tell you for a fact that my company does a lot of splunk business, all for very large organisations like yours, to develop custom syslog/reporting systems and integrate into monitoring, ticketing etc. For example we have two guys who sit in a large telco who've been exclusively developing custom splunk for the last 5 years and constantly integrating new systems/parts of the network.

http://www.splunk.com/en_us/products/splunk-enterprise.html

If you just want a simple syslog appliance that sends emails then perhaps its overkill.

Dieselboy · January 22, 2016, 01:10:45 AM

I do need to do this here... There's a log viewer in our Cacti.

What's free, vs what's not free? The cacti one I think uses syslogd, and the front end is cacti which you can filter based on per device and date / time.. Seems okay, but I've not properly spent the time to set it up yet. And it's free.

wintermute000 · January 22, 2016, 01:53:30 AM

We used cacti at my old work, including for syslog, heavily customised bit worked fine
Basic splunk is free for up to 10k logs a day

icecream-guy · January 22, 2016, 07:04:27 AM

Your syslog should be linked with your device monitoring system. What are you using to monitor your devices? There should be some sort of syslog capability there, along with the alerting functions. It needs to be integrated, for example a device sends out a syslog event for a failed fan, no use for the alert to go into the syslog database without an event alert being sent. Maybe I'm starting to wade into the weeds of SNMP, where your device sends traps to the monitoring system and an alert is generated. syslogs are pretty useless if you don't know (can't find) and can't react.

routerdork · January 22, 2016, 08:45:32 AM

I have yet to get to use it but we use LogRhythm here. I'm supposed to go to the training in Boulder, CO at some point this year.