nanog mailing list archives
Re: improving signal to noise ratio from centralized network syslogs
From: Jippen <cheetahmorph () gmail com>
Date: Sun, 4 Feb 2018 01:07:45 -0800
I really recommend setting up fluentd, and then routing logging from there - it makes it very easy to keep auditor-appeasing logs, while also having important stuff sending pages. Log aggregation, organization, and search is a hard problem, other people have already done it and provided it as a service, and chances are its NOT a core competency or secret sauce at your organization. Once you get your logs in one routing system, you can do a lot with them, but stop rolling your own. This is a prime area for most companies to buy something that works better, for less than the cost of developing in house. And if you run your own aggregation layer - then you can easily try out a bunch of different systems and add/remove them easily. :) Also, you may want to see one level of logs, but your auditors might wanna see another, and your engineers/sec team might wanna do some analytics on them. Being able to provide a solution for everyone who needs network logs at whatever detail level they ask for will make you popular at your organization. On Sun, Feb 4, 2018 at 12:21 AM, Tarko Tikan <tarko () lanparty ee> wrote:
hey, This is done with the 'logging facility'command on the devices: After defining your syslog server's IP address and the level of messaging you want (I set it to debug because I want to see everything): on the routers: logging facility local0 on the switches: logging facility local1Alternative, and more universal, way to do it is to use multiple IPs for syslog server. Then configure correct syslog server IP on the device. syslog-ng and others can all do filtering to different destinations based on the IP where message was received. -- tarko
Current thread:
- Re: improving signal to noise ratio from centralized network syslogs Scott Weeks (Feb 03)
- Re: improving signal to noise ratio from centralized network syslogs Tarko Tikan (Feb 04)
- Re: improving signal to noise ratio from centralized network syslogs Jippen (Feb 04)
- Re: improving signal to noise ratio from centralized network syslogs Shane Short (Feb 04)
- Re: improving signal to noise ratio from centralized network syslogs Brian Knight (Feb 05)
- <Possible follow-ups>
- Re: improving signal to noise ratio from centralized network syslogs Scott Weeks (Feb 05)
- Re: improving signal to noise ratio from centralized network syslogs valdis . kletnieks (Feb 05)
- Re: improving signal to noise ratio from centralized network syslogs James Bensley (Feb 05)
- Re: improving signal to noise ratio from centralized network syslogs valdis . kletnieks (Feb 05)
- Re: improving signal to noise ratio from centralized network syslogs John Kougoulos (Feb 06)
- Re: improving signal to noise ratio from centralized network syslogs valdis . kletnieks (Feb 05)
- Re: improving signal to noise ratio from centralized network syslogs Tarko Tikan (Feb 04)
- Re: improving signal to noise ratio from centralized network syslogs Scott Weeks (Feb 05)