Syslog message classification

Unanswered Question

Hi All,

Please let me know about some good syslog collector. Also i would like to know how can we filter out different severity level messages on the collector.

I have more than 1000 devices sending syslog messages. Hence isolating informational messages on the viewer is important.

Regards

Santhosh

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
arififtikhar Thu, 10/25/2007 - 17:54

Try KIWI syslog daemon. You also can filter out level of logging on Cisco boxes by running;

switch(config)#logging console ?

<0-7> Logging severity level

alerts Immediate action needed (severity=1)

critical Critical conditions (severity=2)

debugging Debugging messages (severity=7)

emergencies System is unusable (severity=0)

errors Error conditions (severity=3)

guaranteed Guarantee console messages

informational Informational messages (severity=6)

notifications Normal but significant conditions (severity=5)

warnings Warning conditions (severity=4)

xml Enable logging in XML

darius.liepuonis Thu, 10/25/2007 - 23:59

Hi,

I was using syslog-ng on linux box. You can sort events based on source ip, daemon, severity etc. eg:

filter f_pix1 {host (10.1.1.1); };

filter f_pix2 {host (10.1.2.1); };

filter f_auth { facility(auth, authpriv); };

filter f_info { level(info); };

filter f_notice { level(notice); };

and so on

Then send sorted/filtered messages to different destination files (source all, filter by source ip and send to separate file)

log {

source(s_all);

filter(f_pix1);

destination(df_pix1);

};

Also you can sort destination files in different folders and grant different levels of access to them, or AFAIK you can use SQL (MySQL/PostgreSQL) server as your back end and use SQL server to manage different levels of access. But this will require some linux/unix knowledge. Overall syslog-nx is nice toolbox that you can customize in many ways to fit your needs.

But if the money is not concern then Cisco MARS can be used or NetIQ (don't remember exact name of their product)

HTH.

Darius

Actions

This Discussion