Re: improving signal to noise ratio from centralized network syslogs
--- tarko@lanparty.ee wrote:
This is done with the 'logging facility' command on the devices:
After defining your syslog server's IP address and the level of messaging you want (I set it to debug because I want to see everything):
on the routers: logging facility local0 on the switches: logging facility local1
Alternative, and more universal, way to do it is to use multiple IPs for syslog server. Then configure correct syslog server IP on the device. syslog-ng and others can all do filtering to different destinations based on the IP where message was received. ------------------------------------------------ The nice thing about the simple way is you see everything that's happening on the network, except what you 'egrep -v' out, which you already know about. Then you find things you weren't expecting. You don't go looking for stuff. You just watch the network events scroll by in real time ans see what shows up. I have no knowledge of syslog-ng. Does it do the real time scrolling like I mention? scott
On 5 February 2018 at 18:57, <valdis.kletnieks@vt.edu> wrote:
On Mon, 05 Feb 2018 10:49:42 -0800, "Scott Weeks" said:
I have no knowledge of syslog-ng. Does it do the real time scrolling like I mention?
Use 'tail -f' or similar.
The only problem is that with BASH based solutions is that they are slow. They don't scale well. Some years ago I wrote a script that would periodically (every 5 minutes by default) grep for interesting events / filter uninteresting events from the syslog file and email you the results. It's here if anyone is interested: https://null.53bits.co.uk/index.php?page=sysgrep It's OK for a small network or small number of devices but it doesn't scale well. Having said that, it's better than nothing and costs $0 (which exactly why I used it in the first place). Cheers, James.
On Mon, 05 Feb 2018 20:27:13 +0000, James Bensley said:
On 5 February 2018 at 18:57, <valdis.kletnieks@vt.edu> wrote:
On Mon, 05 Feb 2018 10:49:42 -0800, "Scott Weeks" said:
I have no knowledge of syslog-ng. Does it do the real time scrolling like I mention?
Use 'tail -f' or similar.
The only problem is that with BASH based solutions is that they are slow. They don't scale well.
The basic point was that you need to supply your own solution for monitoring syslog-ng logs, be it tail or logwatch or whatever - it doesn't come with its own.
On Mon, Feb 5, 2018 at 9:27 PM, James Bensley <jwbensley@gmail.com> wrote:
On 5 February 2018 at 18:57, <valdis.kletnieks@vt.edu> wrote:
On Mon, 05 Feb 2018 10:49:42 -0800, "Scott Weeks" said:
I have no knowledge of syslog-ng. Does it do the real time scrolling like I mention?
Use 'tail -f' or similar.
The only problem is that with BASH based solutions is that they are slow. They don't scale well.
Some years ago I wrote a script that would periodically (every 5 minutes by default) grep for interesting events / filter uninteresting events from the syslog file and email you the results. It's here if anyone is interested: https://null.53bits.co.uk/index.php?page=sysgrep
Last year I found the time to code something similar in perl using File::Tail , here is the outcome in case anyone is interested: https://github.com/jkougoulos/9to5tail Regards, John
participants (4)
-
James Bensley -
John Kougoulos -
Scott Weeks -
valdis.kletnieks@vt.edu