RME syslog -> event de-duplication w/ RSAC?

Unanswered Question

hi,


In a deployment of LMS v3.1, let's say we have a WAN environment where log information is considered critical.


For that purpose, device syslog is sent to two site-local destinations, RSAC#1 and RSAC#2 which achieves the requisite degree of resiliency.


If a central RME subscribes to both RSAC, are syslog events de-duplicated today?


If not...


i) comment on what issues this might pose, especially if they are not cosmetic, and


ii) could de-duplication be put forth for consideration on the feature roadmap.


Curious.


thanks,


Rob.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Joe Clarke Sun, 08/10/2008 - 16:33

Message de-duplication is currently not done. The idea with RSAC was to offload syslog filtering from the central server as well as provide distributed syslog destinations which could feed filtered messages back to a centralized database using a secure protocol.


1. The biggest concern is with Change Audit and config/inventory fetching. Depending on the delay in the network, and in the processing of the messages, RME may try to fetch the config or inventory from the same device multiple times in succession. This puts an unnecessary burden both on RME and the devices.


2. Absolutely. This is not on the roadmap for LMS 3.2/RME 4.3, but it could be added via a PERS from your account team. I think it would make a good feature.

Actions

This Discussion