Syslog

Started by LynK, November 20, 2015, 12:40:24 PM

Previous topic - Next topic

LynK

We have been working on some solutions with syslog, and we tried kiwi (to the recommendation of some of those here) and it is atrocious. Down right abysmal. We are currently demoing logzilla, and I HIGHLY recommend everyone give it a try. It is amazing. We are really enjoying it, and by the way they have 25% off promotion until the end of December.
Sys Admin: "You have a stuck route"
            Me: "You have an incorrect Default Gateway"

EOS

We haven't had any issues with SPLUNK.  Not sure what your requirements are though.

icecream-guy

no probs here with syslogd,  with a bit of creative scripting to bzip daily logs and clean up the log directories.
search for things via grep

:professorcat:

My Moral Fibers have been cut.

packetherder

Graylog, ELK stack, or splunk if you're made of money.

wintermute000

splunk. It probably is the largest scaling solution out there (AWS.... we have sold it and developed packages for banks etc. - its really more of a database than a syslog solution)

LynK

My biggest stink is I have yet to see a syslog provider give you the ability to have separate panels with device filters, so I can have one for my MPLS routers, MPLS switches, HQ Access, HQ DC, Firewall, etc.

it would be so nice.
Sys Admin: "You have a stuck route"
            Me: "You have an incorrect Default Gateway"

wintermute000

 You can do it ghetto style using facilities as categories

deanwebb

Gravedig because I'm in charge of finding a syslog for the network team at my work. Need a solution for a global company with about 500 locations, 4 of which are massive data centers. Need to look at HP Arcserve and Splunk, but will also get to look at 2-3 others. We need something with a really easy to use front end so our level 1/level 2 people can use it within 15-30 minutes of being told that they're going to do some work with syslog.
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

wintermute000

Splunk is awesome but for large deployments it's typically used as a db to a custom front end or monitoring solution
We have an entire ps department who do nothing but program splunk

deanwebb

Quote from: wintermute000 on January 21, 2016, 05:26:59 PM
Splunk is awesome but for large deployments it's typically used as a db to a custom front end or monitoring solution
We have an entire ps department who do nothing but program splunk

Why do the front ends need to be customized? Is that missing in splunk, or is that just pretty standard in any syslog product to have to customize front ends?
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

wintermute000

#10
the splunk front end is pretty generic - its actually regarded more as a general purpose unstructured DB (no schema) that is wicked fast than a pure syslog product, though syslog is one of its common applications

It does work fine IMO but you have to basically curate filter/query templates and know how to tweak them. Not tried automating reports or alerts etc. but I'd imagine thats a big part of custom integrations. I've only really driven the free version (limited to 10k a day or something like that)

There's a whole ecosystem of products now though, I'd recommend talking to a splunk consultancy to get the max value. BUt I can tell you for a fact that my company does a lot of splunk business, all for very large organisations like yours, to develop custom syslog/reporting systems and integrate into monitoring, ticketing etc. For example we have two guys who sit in a large telco who've been exclusively developing custom splunk for the last 5 years and constantly integrating new systems/parts of the network.

http://www.splunk.com/en_us/products/splunk-enterprise.html



If you just want a simple syslog appliance that sends emails then perhaps its overkill.

Dieselboy

I do need to do this here... There's a log viewer in our Cacti.

What's free, vs what's not free? The cacti one I think uses syslogd, and the front end is cacti which you can filter based on per device and date / time.. Seems okay, but I've not properly spent the time to set it up yet. And it's free.

wintermute000

#12
We used cacti at my old work, including for syslog, heavily customised bit worked fine
Basic splunk is free for up to 10k logs a day

icecream-guy

#13
Your syslog should be linked with your device monitoring system. What are you using to monitor your devices? There should be some sort of syslog capability there, along with the alerting functions.  It needs to be integrated, for example a device sends out a syslog event for a failed fan, no use for the alert to go into the syslog database without an event alert being sent.  Maybe I'm starting to wade into the weeds of SNMP, where your device sends traps to the  monitoring system and an alert is generated. syslogs are pretty useless if you don't know (can't find) and can't react.

:professorcat:

My Moral Fibers have been cut.

routerdork

I have yet to get to use it but we use LogRhythm here. I'm supposed to go to the training in Boulder, CO at some point this year.
"The thing about quotes on the internet is that you cannot confirm their validity." -Abraham Lincoln