Re: Central syslog server best practices?

• Previous message: Brian Hatch: "Re: Central syslog server best practices?"
• In reply to: Andreas Östling: "Re: Central syslog server best practices?"
• Next in thread: Andreas Östling: "[loganalysis] Re: Central syslog server best practices?"
• Next in thread: Matthew Jonkman: "Re: Central syslog server best practices?"
• Reply: Andreas Östling: "[loganalysis] Re: Central syslog server best practices?"
• Reply: arkat_private: "[loganalysis] Re: Central syslog server best practices?"
• Reply: Marcus J. Ranum: "[loganalysis] Re: Central syslog server best practices?"
• Reply: Greg Broiles: "[loganalysis] Re: Central syslog server best practices?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Andreas Östling wrote:
> 
> On Sat, 11 Aug 2001, Marlys A Nelson wrote:
> ...
> > Recently, the log traffic from our firewall (linux running ipchains) has
> > been so heavy that the syslog server has been losing data.
> ...
> > I'm wondering how others configure their syslogging "enterprise-wide" to
> > avoid this problem?
> 
> I think it sounds a bit weird that the syslog server is losing data just
> because of one host sending to much information.

Well, when that one host is our firewall, and the rule that's triggering
it is a deny on port 80 and we have a Class B network that's being
hammered by the world scanning for IIS servers, that's one heck of a lot
of information that's being sent.  Logging the scans (had been)
important to me so that I could see what was being attempted coming into
our network.  Right now, I've had to drop it so that I see all the other
logs.

> If you mean you're running standard Linux syslogd on the syslog server, I
> think you should really try something else.

I am running standard syslogd.  The syslog server is running Red Hat 7.0
and is dedicated to the syslog function.  It's a PIII 450 w/ 256Mb of
RAM, 3 SCSI disks - 1 for the OS, the other 2 in a software RAID stripe
0 for the logs.  A ps shows that the syslogd is taking up about 10% of
the CPU fairly consistently.

> You're probably logging into one big file on the syslog server, right?
> If I'm not misstaken, at least Linux standard syslogd has/had some
> terrible performance problems when handling large log files.

I'm actually logging into up to 18 different files split according to
the facility.  So the logs from my firewall go into a different file
than the sendmail logs, etc.  I also rotate the files daily, moving and
compressing the files to another directory for further processing.

I'd be willing to look into an alternate syslogd for this server if this
would help.  Is syslog-ng the main alternative or are there others?

-- 
Marlys A. Nelson                      Sr. Network Specialist
Information Technology Services       Network Services
University of Wisconsin - River Falls 
410 South Third Street                Email: Marlys.A.Nelsonat_private
River Falls  WI  54022                http://www.uwrf.edu/

---------------------------------------------------------------------
To unsubscribe, e-mail: loganalysis-unsubscribeat_private
For additional commands, e-mail: loganalysis-helpat_private

• Next message: Jas Amidzic: "[loganalysis] Cisco ICMP logs"
• Previous message: Brian Hatch: "Re: Central syslog server best practices?"
• In reply to: Andreas Östling: "Re: Central syslog server best practices?"
• Next in thread: Andreas Östling: "[loganalysis] Re: Central syslog server best practices?"
• Next in thread: Matthew Jonkman: "Re: Central syslog server best practices?"
• Reply: Andreas Östling: "[loganalysis] Re: Central syslog server best practices?"
• Reply: arkat_private: "[loganalysis] Re: Central syslog server best practices?"
• Reply: Marcus J. Ranum: "[loganalysis] Re: Central syslog server best practices?"
• Reply: Greg Broiles: "[loganalysis] Re: Central syslog server best practices?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sun Aug 12 2001 - 20:18:05 PDT