I am looking for Syslog server to log all logs from Cisco devices. We have more than 800 cisco devices. Can anyone tell me what syslog server should i use to log these files.
Thanks collin. I checked the link and I am confused. I am not good at linux. Do you know any syslog server application that can run on Windows platform.
I come acroos Kiwi syslog Daemon but i don't know is it good and secure. Any comments!
I'm a big fan of the Kiwi syslog product and have been using it in production for almost 2 years. You can also try it for free!
It is highly configurable and has some nice options, especially in the registered/paid version.
Thanks for the reply and I have few questions about Kiwi Syslog.
What Operating system you are using for Kiwi syslog and are you using separate box or shared server.
Do you know about Kiwi Cat tools? Do we need this tool?
We run it on a Windows 2003 server which also houses several other network management tools. As for Kiwi Cat tools, it is a great utility for managing Cisco device configurations and changes. I use it to regularly pull all my device configs so I can reference changes, archive them, etc. However, it is not neccessary to purchase the CatTools product to use the syslog product.
Hope that helps,
For 800 devices you should look into a scalable solution. Maybe a commercial product like sawmill is what you need.
Depending on how much you want to spend. The best product I found was SolarWinds Orion. With 800 Cisco devices I would use it. It is expense but does everything you need for one person to manage 800 devices.
I have used Kiwi Syslog. They also offer a lot of other really nice tools that you will find helpful.
How many messages per second do you think those 800 devices generate? If any of them are firewalls they can be really noisy. I've had great luck with the Loglogic appliances - they can handle almost anything I throw at them.
Eventpulse is the best tool for windows platform, bar none, and free too.
Has anyone used the Cisco recommendation of Buliding Scalable Syslog Solutions?
I used this in another organaztion and we were very successful, we currenlty use Netcool that feeds from a syslog and we get several non-actionable alarms and it's very time consuming for 13,000 devices. I would only like to alert on 0-5 Cisco Syslog messages. Below is the response from my Netcool Administrator (What are your thoughts?):
From my Netcool Administrator:
Regarding, using the Cisco syslog severity for alert control, I feel that is not the best way to control the work in Netcool.
1. -- Cisco is not consistent with the use of this value.
In this case the important message is the lower severity alert: I would consider the BGP-3-NOTIFICATION of a 6 level of Informational
Aug 4 03:10:01 rtgara02r01m04-lb0.us.bank-dns.com 001458: Aug 4 03:10:01: %BGP-5-ADJCHANGE: neighbor 10.93.69.106 Down BGP Notification sent
Aug 4 03:10:02 rtgara02r01m04-lb0.us.bank-dns.com 001459: Aug 4 03:10:01: %BGP-3-NOTIFICATION: sent to neighbor 10.93.69.106 4/0 (hold time expired) 0 bytes
This one is near the top level of serverity per Cisco but not all that severe in reality, further this syslog has a bug where the threshold is not even exceeded
%ENVMON-1-CPU_WARNING_OVERTEMP: Critical Warning: CPU temperature 107C exceeds threshold 110C. Please resolve system cooling immediately to prevent system damage
This one is reporting a standard condition:
%ILPOWER-5-POWER_GRANTED: Interface Fa0/24: Power granted
Here is an example of a 1 where the voice group says that nothing is wrong:
Aug 4 13:08:42 rtgcaa75u01-01.sw.us.bank-dns.com 047489: Aug 4 11:08:41: %IVR-1-APP_PARALLEL_INVALID_LIST: Call terminated. Huntgroup \'1\' does not contain enough valid SIP end-points to proceed with a parallel call.