Hi Scott, First of all, good luck with that :) It's not easy to setup a good logging architecture for large networks. I have done something similar for a large medical department and we used a distributed approach. We divided the department into multiple "sections", each one with its own log analysis server. We first though in using them as filters to forward the data to a central "powerfull" server, but that didn't work well. First, the more you filter, the less information you have (specially if you are using regexes). Second, on some extreme cases, you may get more data than what you really want (and your server can handle). Third :), the "far way" you are from the systems, the less you know about that network segment (and harder is the correlation). So we let each analysis server being isolated, only looking at the data from that specific segment. Because of that, the traffic didn't cause too much trouble and the correlation was easier on each server. We also set up e-mail alerting on them and used some tools to facilitate the view of the logs (making it easier for the network group to look at them). We also had to have encrypted tunnels for the logs and for that we use an initial version of the ossec hids (it was also used for the correlation and e-mail alerting). Hope it helps. Good luck again! -- Daniel B. Cid dcid @ ( at ) ossec.net --- ScottO <skippylou@private> escreveu: > Okay, so here is the current task I am working on > and was looking to see > how people have tackled it, basically any ideas out > there to ponder. Any > thoughts, comments, etc. will be appreciated. > Thanks. > > Key Highlights: > > - Centralized logging setup for over 1000 Linux > hosts. > - Need it to be scalable to even more eventual > hosts. > - Estimate less than 1MB of data per host per day. > Want to do > summarization with syslog-ng to reduce network > traffic, to make this > even less. > - Need it setup so that the network isn't saturated. > - Rollout syslog-ng to the hosts, for using > filtering etc. > > Two ways I'm considering doing the backend right > now: > > - Potentially some sort of Linux LVS cluster with an > NFS backend. So a > pair of Linux load balancers that will hand off the > syslog data to > centralized syslog servers in a cluster, that then > dump into some shared > NFS server/solution. > - Or, maybe having distributed "collector" syslog > servers that somehow > dump back to a central syslog server. So a > distributed architecture > approach. > > > The LVS setup seems appealing to me for the > scalability potential, but > not sure if it is overkill. What I am currently > most concerned with is > the amount of traffic over the network. > > Thanks for any help. > _______________________________________________ > LogAnalysis mailing list > LogAnalysis@private > http://lists.shmoo.com/mailman/listinfo/loganalysis > _______________________________________________________ Abra sua conta no Yahoo! Mail: 1GB de espaço, alertas de e-mail no celular e anti-spam eficaz. http://br.info.mail.yahoo.com/ _______________________________________________ LogAnalysis mailing list LogAnalysis@private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2.1.3 : Wed May 10 2006 - 22:55:23 PDT