Our logging folks that operate the $$$$$$syslog server said they were unable to parse our firewall logs once we sent them using tcp. ¯\_(ツ)_/¯
As I indicated in my initial email I'm out over my skis a bit. I'll take a look at rsyslog and see if the docs are dumb enough for my level of skills.
Ack on the Host OS, Bus Drivers, etc. We will see how it goes once we load it up.
P.
> Based on a suggestion here we setup Nginx and it looks like it is
> doing what we need but open to other solutions too. We will check
> out rsyslog too.
rsyslog should be your goto here, especially since with all those
devices, you might want to filter them into different lots based on
the source IP, etc.
> Logs are from about 2500 networking devices including firewall,
> routers, AAA servers, wireless controllers on a sizeable campus
> network.
Ok, so are these devices sending only via UDP or can you turn them on
to use TCP? TCP will help keep down message loss, but for your busier
devices, you might run into problems.
> We are testing with one firewall and its generating about 7,000 log
> messages a second. This is probably on the high side; some devices
> will be almost zero.
I would try using rsyslog in this case. It's certainly easier to
setup than syslog-ng, which was a damn disaster in my book. Super
flexible, lots nad lots of options, but just a total pain in the ass
to get working right.
> The hosts are VMs (I will have two) that we are just getting the
> configuration going on, we have not loaded it up with all the logs
> yet so hard to tell CPU usage. Currently it is almost zero. We can
> throw more cpu/memory at it if it is a problem.
Make sure you have good networking into these syslog destination VMs.
> Having the source send two copies of the same logs is possible
> though now our gear is going to processing more log data than actual
> data __
Sure, makes sense. Nice to just point everything at
'log.internal.local' and let that system duplicate the data to
multiple destinations or backends.
> The real issue if we can't trust the folks we are sending logs to to
> not move or change to another site/location/cloud whoever is on sale
> this week. Keeping some central log boxes makes it so we only have
> to change the target on these two syslog hosts and not on all 2500
> devices.
I understand completely! I'm happy to answer questions and give you
example configs. The docs for rsyslog are ok, but sometimes the
examples are a little lacking for real world examples. Obviously
written by people who know the stuff inside out, but can't write for
smart but ignorant use cases. :-)
You could also have rsyslog save a copy locally, and then send in to
another host. If you're looking for fully redundant setup, then you
might need a load balancer of some sort. It's hard to get complete
logging without doing funky things because having a fully redundant
setup is nice simple to do right.
But also, check your other system configs at the base OS level. And
check your VM's bus drivers. Some network cards will have better
performance than others. Depending on how you have your
virtualization setup, you might need to tweak your VM's hardware setup
to get better network performance.
John
_______________________________________________
WLUG mailing list --
wlug@lists.wlug.orgTo unsubscribe send an email to
wlug-leave@lists.wlug.orgCreate Account:
https://wlug.mailman3.com/accounts/signup/Change Settings:
https://wlug.mailman3.com/postorius/lists/wlug.lists.wlug.org/Web Forum/Archive: