I've tried quite a few solutions. And the solution that works for engineers who know linux and text parsing, is often ill-suited to many operations folks. I have to admit, Splunk is nice and I prefer it, but the price it outrageous. If I'm logging from 500 routers/switches, I can likely get away with a reasonable 5gb/day license. However, any firewall logging per-connection statistics towards anything reasonably busy will quickly chew through the 5gb in no time with a single device, and I don't like paying more in software licensing to log than I did for the firewall itself. This, combined with the removal of e-mail alerts in the 4.0 version when upgrading from 3.0 resulting in breakage without warning and no downgrade path, irked me. So that solution is out. I've also heard of a coworker liking a solution called PHP-SYSLOG-NG. It's claim to fame was putting the events in a database so they are easily and quickly searchable. I didn't explore it further when I looked about a year ago, as it was clear further development had ceased as the author had turned it into a commercial solution called logzilla. I haven't explored pricing. I now use SEC/simple event coorelator linked by someone below. It works adequately well if you can write a REGEX which matches what you're watching for and an output action. Performance is acceptable, but there is some hit. However, it can keep the logs available in text file format which is nice for data parsing with command line tools for certain cases, where many of the database alternatives don't. The one thing SEC is missing that I would enjoy, is a community based rules database for common alerts in network products. I believe there are adequate open source solutions, but the best seem to be the commercial products, IMHO. On Tue, Oct 4, 2011 at 8:27 AM, Jason LeBlanc <jml@packetpimp.org> wrote:
+1 for SEC, minimal hit on the cpu like most parsing tools, the regexp can be painful but it is fairly extensible. Once you get used to it you'll love it.
On 10/04/2011 05:58 AM, Ben Roeder wrote:
Hi Mike, We have used octopussy ( http://www.8pussy.org/** dokuwiki/doku.php?id=home<http://www.8pussy.org/dokuwiki/doku.php?id=home> yes it is work safe :-) ) with ok results. Have used sec ( simple event correlator http://simple-evcorr.** sourceforge.net/ <http://simple-evcorr.sourceforge.net/> ) to some success in simple cases.
Currently having another look at this myself and the following look interesting, but have not deployed them yet http://logstash.net/ http://graylog2.org/about
Ben On 30 Sep 2011, at 14:50, harbor235 wrote:
What is everyone using to collect, alert, and analyze syslog data?
I am looking for something that can generate reports as well as support multiple vendors. We have done some home grown stuff in the past but would be interested in something that incorprates all the best features.
Soalrwinds, splunk, fwanalog, and others come to mind, any other good ones out there?
Mike