Syslog server?

Unanswered Question
Oct 20th, 2008
User Badges:
  • Purple, 4500 points or more

What syslog server do you use? I've tried Kiwi and Solarwinds. I'm not crazy about Kiwi because of it logging to text files, and the Solarwinds version that we have is from the Engineer's toolset which doesn't allow you to select SQL databases. (It uses its own access database.)


I'm looking for something that could possibly be managed via web interface, open-source (but would settle for commercial if good enough).


Thanks!

John

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.5 (2 ratings)
Loading.
Collin Clark Mon, 10/20/2008 - 05:43
User Badges:
  • Purple, 4500 points or more

*nix based syslog-ng, comes standard w/most distros.

As far as the webUI, I prefer php-syslog-ng, but there may be others.


*Here is another http://www.phplogcon.org/

zhenningx Mon, 10/20/2008 - 08:13
User Badges:
  • Bronze, 100 points or more

We use msyslog on Linux. Works good!

scottmac Mon, 10/20/2008 - 08:48
User Badges:
  • Green, 3000 points or more

The "Pro" versions for Kiwi will log to a number of supported SQL servers (they even give the field templates).


They are also capable of handling higher inbound traffic levels.


On the *nix side, Rsyslogd has been working well for me, it'll do UDP, TCP and log to some SQL databases (like mySQL). It's also multi-threaded and can handle substantial inbound traffic rates (which is why we went to it, standard *nix syslogd was swamped).


syslog-ng has a free version, I think, but it's crippled compared to the purchased version (I'm not sure about it, that's what I was told).


Rsyslogd is free and not crippled. It is now included with RedHat Enterprise 5.1 and Suse (10.x, 11?)


The other choke point for really heavy inbound loads is the NIC buffers, and the UDP buffer, both of which you may want to adjust ...


Good Luck


Scott


John Blakley Mon, 10/20/2008 - 11:50
User Badges:
  • Purple, 4500 points or more

Thanks Scott.


I've decided to try rsyslog, but I'm not getting anything to it.


I have the following:


local7.warn -/var/log/cisco.log

local7.debug -/var/log/cisco.log


In the router I have:


logging

logging trap 6

logging source-interface BVI1


I've tried the facilities as:


logging facility local7

logging facility syslog

and no logging facility specified.


I tried a rsyslogd -d to bring the syslog up on the screen and watch it, and it's not getting anything at all. I can ping the linux box from the router.


My main question is:


What should the facility be set to? Local7 or syslog?


Thanks!

John

zhenningx Mon, 10/20/2008 - 12:15
User Badges:
  • Bronze, 100 points or more

Your configurations seems ok. You do not need to specify logging facility at the router side as I believe Cisco routers use local7 by default.


Is it possible caused by Linux firewall? Can you try to shutdown IPtables?


Zhenning

scottmac Thu, 10/23/2008 - 14:00
User Badges:
  • Green, 3000 points or more

Can you post up your /etc/rsyslog.conf file?


The default "might not" work from the default installation. Rsyslog docs say it will also read the /etc/syslog.conf file ... but if that wasn't really configured beyond teh defaults, it might not have translated well.


A good way to test it is a utility from (who else?) Kiwi called (I think) sysloggen ... something like that ... it lets you craft test syslog messages (TCP, UDP, any facility, etc) and direct it towards a specific server.


I'll try to pull and sanitize one of my rsyslog.conf files to give you an example. The config file provides with the package is also pretty well documented ...


Good Luck

Scott


Actions

This Discussion