Loading...

Messages

Proposals

Stuck in your homework and missing deadline? Get urgent help in $10/Page with 24 hours deadline

Get Urgent Writing Help In Your Essays, Assignments, Homeworks, Dissertation, Thesis Or Coursework & Achieve A+ Grades.

Privacy Guaranteed - 100% Plagiarism Free Writing - Free Turnitin Report - Professional And Experienced Writers - 24/7 Online Support

127.0 0.1 www beenverified com

30/11/2021 Client: muhammad11 Deadline: 2 Day

Creating a Centralized Syslog Server Aug 18, 2011 By Jayson Broughton (/users/jayson- broughton)

in

28

A centralized syslog server was one of the first true SysAdmin tasks that I was given as a Linux Administrator way back in 1997. My boss at the time wanted to pull in log files from various appliances and have me use regexp to search them for certain key words. At the time Linux was still in its infancy, and I had just been dabbling with it in my free time. So, I jumped at the chance to introduce Linux to the company that I had worked for. Did it work? You bet it did! What this post is going to cover is not only how to setup a centralized syslog-ng server, but why you would go about setting one up in the first place.

So what is syslog? Syslog is used in Linux to log system messages (huh, another easy to guess name). Syslog-ng is just a rewrite of the original syslog, that was developed in 1998. Syslog-ng is still being actively developed (as of 2010) by BalaBit IT Security and comes with many more features, including better TCP handling, TLS encryption of messages, and sending messages to a database among other things. Some distributions allow you to install either syslog, rsyslog or syslog-ng. For this article, I'll be focusing on syslog-ng as this is more up to date, and if the reader wishes, can be 'supported' via the company that owns the syslog-ng software by going with their enterprise edition version at a later date.

Now that you've got an overview of syslog-ng, let's talk about just why you would use a centralized syslog-ng server. I am sure there are more than the two reasons that I will bring up, but I can think of at least 2 of them off the top of my head. The first is for security purposes. If you have your routers, firewalls, switches, Linux servers and/or other hardware pointing to a SECURED centralized syslog-ng server, when someone does attempt to attack one of the above devices log files can be safely off- site in a secure location. If syslog files are kept on the device this gives an attacker the ability to clean up their tracks. Granted, they can disable the ability to send log files to an external syslog-ng server, but any and all connections prior to that will be located on the centralized syslog server. The other reason is for convenience. For instance, if you have a server that crashed and is unresponsive, you can check the kernel error logs on your centralized syslog server. If you want to check syslog patterns between various dates over an extended time, regex the log files from the centralized syslog server.

So what do I do? I actually use both approaches at home. Not only do my devices and servers forward all their syslog files to a centralized location, but that location is locked down. The machine in question is a virtual machine with only 1 port open (syslog) and accessible only from the local machine, the syslog files are kept on an external drive. Is it paranoia? Probably a wee bit. But I do know that in my home environment, if my external drive fills up from too many syslog files it won't crash my virtual machine. If somehow something happens to my virtual machine, my host OS won't be affected, if someone does gain access to one of my devices then they can't gain access to my syslog server. Granted if something happened to my host OS then I would have issues with my guest VM's, but we can't always prepare for everything. Okay, I admit it's paranoia in the highest of levels, and for most people this is probably too far.

41 people like this. Be the first of your friends.

LikeLike

http://www.linuxjournal.com/
http://www.linuxjournal.com/user
http://www.linuxjournal.com/subscribe
https://googleads.g.doubleclick.net/aclk?sa=L&ai=BrP79DSmoVp2YEYzppAOp-hXvztDgBwAAABABIPP0nwY4AFivrcPRwAFgyd7niZSkmBOyARR3d3cubGludXhqb3VybmFsLmNvbboBCTcyOHg5MF9hc8gBAtoBRmh0dHA6Ly93d3cubGludXhqb3VybmFsLmNvbS9jb250ZW50L2NyZWF0aW5nLWNlbnRyYWxpemVkLXN5c2xvZy1zZXJ2ZXLAAgLgAgDqAhRTeXNBZG1pbl9MZWFkZXJib2FyZPgC8tEekAPoApgD6AKoAwHIA5kE0ASQTuAEAZAGAaAGFNgHAQ&num=0&cid=5GirE8TrEX8vdG-zK1z5EQVd&sig=AOD64_3I-GHbBBHpGBJiIHTDbQENpDlX7g&client=ca-pub-3600556074671070&adurl=https://www.suse.com/promo/zero-downtime/%3Fscr%3Dlj&nm=1
http://www.linuxjournal.com/users/jayson-broughton
Before we get started, here's a quick disclaimer. First off, as with all of my previous posts, I do all of my blogpost testing in Debian. In this case I had a virtual machine setup for Debian 6.0.1, thus your mileage may vary. Also I won't be getting into how to properly secure your server, best practices on where to place syslog files, or how to setup anything other than syslog-ng. I leave that up to the reader. This blog post just covers the basics of a centralized syslog-ng server.

Installing and Configuring - Server Side

Installing syslog-ng isn't as hard as it looks especially if you're installing from packages. For Debian: apt-get install syslog-ng, for Redhat: yum install syslog-ng. For those of you that enjoy a good source install: http://www.balabit.com/downloads/files?path=/syslog- ng/sources/3.2.4/source/syslog-ng_3.2.4.tar.gz Download, unpackage, configure, make & make install. Once you have syslog-ng installed, we can get to configuring the server side.

Global Options

First thing you need to do is locate your syslog-ng configuration file. The default install (for Debian variants) is '/etc/syslog-ng/syslog-ng.conf'. Before editing any configuration files it is best practice to make a copy of the original configuration file prior to any changes. This is just in case something happens and you need to go back to the original configuration file. I tend to label my original configuration files with .orig (in this case: syslog-ng.conf.orig). Now that you have made a copy of your configuration file, let's open it up with your editor of choice and get started.

long_hostnames(default: off ) - For this post I'm using syslong-ng OSE version 3.1, and I actually can't find long_hostnames in the global configuration guide online. I'll go with long hostnames as a default of off, being fully qualified domain names.

flush_lines(default: 0 ) - Sets the number of lines flushed to a destination at a time. Setting to 0 sends messages as they are received, but keep in mind setting this number higher may increase message latency. This is useful on the client side of syslog-ng. You would keep xx messages on the client before flushing to the destination so that you are not flooding the main syslog-ng server if you have alot of traffic coming from a server.

use_dns(default: no ) - Options: yes, no, persist_only. This one is up to you and your environment. If your syslog-ng is behind a firewall and not accessible to the outside of the world then 'yes' would be appropriate. If accessible to the outside of the world, set to 'no' in order to stop possible DoS attacks. I set mine to 'persist_only' which checks my /etc/hosts file on my syslog-ng server to resolve hostnames, without relying on dns servers.

use_fqdn(default: no ) - Set the Fully Qualified Domain Name, your choice. As a home network I only have one internal domain name. So mine defaults to 'no'. Setting to 'yes' would have your clients hostname show up as: 'hostA.domain.com' instead of 'hostA'

owner(default: root ) - Owner of output files

group(default: adm ) - Group of output files

perm(default: 0640 ) - Permission of output files. Defaults to 640 - Owner Read- Write, Group Read, Other none.

stats_freq(default: 0 ) - Time (in seconds) between two STATS (statistics messages about dropped log messages) Messages. 0 disables STATS messaging.

bad_hostname(default: ^gconfd$ ) - Regex containing hostnames that should not be handled as hostnames..in this case gconfd. If you have more than a handful of servers than I woudl recommend hostnames, unless of course you remember every ip address in your domain..if you, I applaud you.

Now that's it for the 'Default' Global configuration options, but there are many more that you can use. I also use the following:

normalize_hostnames(yes) - This converts all hostnames to lowercase. Some of my devices have uppercase hostnames, and sometimes I get carried away with a new host and Uppercase the first letter of the hostname. This will just lowercase all characters for easier readability.

keep_hostname(yes) - This keeps the hostname if running through a relay or an external server, so that when the host finally reaches the central server the hostname comes with it instead of relying on DNS (or /etc/hosts). If you're using $HOST macro, this should be enabled.

In a bigger and more important environment (read: not soho) I would be setting stats_freq(600) and stats_level(2) in order to retrieve statistics messages from the server. In most soho environments you might be gathering syslog data from 3-5 devices, at which point the odds of actually losing data are pretty slim. In a larger enterprise environment of several hundred devices reporting to centeral syslog servers, enabling statistics allows the sys admin the ability to check on stats and possibly lost messages.

Your global configuration options (if you want it to mirror mine) would look like the following:

options {(off);

flush_lines(0);

use_dns(persist_only);

use_fqdn(no);

owner("root");

group("adm");

perm(0640);

stats_freq(0);

bad_hostname("^gconfd$");

normalize_hostnames(yes);

keep_hostname(yes);

};

Setting up Listener

Setting up the listener for syslog-ng is actually only a few lines in the configuration file. A typical listener line looks like this:

source s_net { tcp((ip(127.0.0.1) port(1000) max-connections 5000)); udp ();

};

source s_net = Network listener

tcp(ip(127.0.0.1) = Listen on localhost. If you have multiple NIC's, or want to specify an ip to bind this to, change 127.0.0.1 to the ip address of that specific network card

port (1000) = Listen to TCP port 1000

max connections = Allow 5000 simultaneous connections (stops the dreaded 'run away server' syndrome)

udp () = Some devices send their syslog messages via udp, so enable udp if you can't specify tcp and port number.

encrypt(allow) = This could be an entire blog post in itself. Syslog-ng allows for encrypted (TLS, certificate based) syslog messages

Mine for example looks like this:

# Listen on TCP Port 1000 and UDP Port 514, Max 500 Connections source s_net

{

tcp(port(1000) max-connections(500)); udp(););

Destination - What goes up must come down. In this case what gets sent out must get put somewhere. Once a message is received from the syslog-ng server it's got to go somewhere. Thus the destination section of the syslog-ng.conf file. As you can see, the default covers your *nix destination for server messages on the local machine. But what about incoming messages? Where do they go? Good question, by default they will send their syslog messages to the subsystem specified in syslog-ng. For instance if it's a message that would be classified as an authentication message (/var/log/auth) then it will dump the message into the syslog-ng's /var/log/auth.log file with the appended information (hostname, date/time, etc).

If that's actually what you want to accomplish, a bunch of servers dumping to the same file as your main server, then I guess the task is complete. But syslog-ng can do so much more than that. If I do much more on server side configuration though I fear this will end up being a chapter in a book. Destinations can be flat files, pipes into other applications, SQL Databases (mysql, MS SQL, Oracle, etc), Remote Log servers, and Terminal Windows. I'll be focusing on flat files and assume you are doing the same for now.

Now the way I setup my centralized syslog server might be different then the way you setup yours. In my case I have a folder that has each hostname and the syslogs from the hostname are located in the folder. For Example: /mount/syslog/macha, /mount/syslog/beag, and so on and so forth. Logrotate takes care of zipping, removing (old files are backed up to a remote server just in case) and cleaning up log files.

My Destination directive looks like this:

destination d_net_auth {

file("/var/log/syslog/remote/$HOSTNAME/auth.log"); }; destination d_net_cron

{

file("/var/log/syslog/remote/$HOSTNAME/cron.log"); }; destination d_net_daemo

n

{ file("/var/log/syslog/remote/$HOSTNAME/daemon.log"); }; destination

d_net_kern { file("/var/log/syslog/remote/$HOSTNAME/kern.log"); }; destinatio

n

d_net_lpr { file("/var/log/syslog/remote/$HOSTNAME/lpr.log"); }; destination

d_net_mail { file("/var/log/syslog/remote/$HOSTNAME/mail.log"); }; destinatio

n

d_net_syslog { file("/var/log/syslog/remote/$HOSTNAME/syslog.log"); };

destination d_net_user { file("/var/log/syslog/remote/$HOSTNAME/user.log"); }

;

destination d_net_user { file("/var/log/syslog/remote/$HOSTNAME/uucp.log"); }

;

destination d_net_debug { file("/var/log/syslog/remote/$HOSTNAME/debug"); };

destination d_net_error { file("/var/log/syslog/remote/$HOSTNAME/error"); };

destination d_net_messages { file("/var/log/syslog/remote/$HOSTNAME/messages"

);

}; destination d_net_mailinfo {

file("/var/log/syslog/remote/$HOSTNAME/mail/mail.info"); }; destination

d_net_mailwarn { file("/var/log/syslog/remote/$HOSTNAME/mail/mail.warn"); };

destination d_net_mailerr {

file("/var/log/syslog/remote/$HOSTNAME/mail/mail.err"); };

Now in theory, the syslog-ng server is supposed to create the directories necessary for the files to drop into (as specified in the global policies) but sometimes I run into problems where the directories were not created properly and the errors in syslog-ng are reported in /var/log/errors. To alleviate future pain and suffering I tend to create the host and log files as I go, anything I'm missing will end up in /var/log/errors and I can create them later.

For those of you that are veteran syslog-ng users, you might wonder why I split my localhost destination and my remote(off-site clients) destinations when in theory I could have created a d_auth and had my regular localhost filter into a folder as well. The reason behind that was that I wanted to separate my localhost syslog traffic from remote traffic - more configuration lines, but easier on me. Also, I'm not messing with the Linux subsystem when it's out looking for where to put regular log files.

Filtering - The ability for Syslog-NG to filter its messages is what really seperates the 'men from the boys' in the syslog battle. The filtering is what really sets syslog-ng apart. Granted I separate my hosts in folders defined in $HOST variable, but filtering is the real meat and potatoes. With filtering I can (and do) the following: Filter Firewall logs looking for certain key words such as port scans, that get dumped into 1 folder, DDOS attacks that get filtered into another folder. My voip adaptor sends syslog events and I filter based on those messages into individual files instead of a single file. Filtering also allows you to specify multiple hosts to filter based on, and into multiple destinations. Not only that, but you can use regular expressions in filtering.

Filtering expressions are created like: filter { expression; };

is the name you give your filter. contains the function, and boolean operators (and,or,not).

An example for my firewall would be:

filter firewall_ddos_filter { host("10.1.1.1") and match("Denial of Service"

value("MESSAGE")); };

This filter is called 'firewall_ddos_filter, it listens for incoming syslog messages from 10.1.1.1 with a message of 'Denial of Service'. To complete the filter you need a log statement:

log firewall_ddos_filter { source(s_net); filter(firewall_ddos_filter);

destination(d_net_firewall_ddos); };

In my above destination I would add a destination for firewall DDOS Attacks, port scanning, etc. This makes it easier to separate log files from servers/devices that do not use the standard *nix logging facilities, or easier for a system admin to filter logs coming out of a firewall (or many firewalls filtered into one log).

If you want to use multiple 'firewall' hosts (as an example) do NOT use just add them in and create a log/filter rule using a boolean operator of 'and'. It will not work, and you beat your head on the desk for many hours to come. Instead, use the 'or' boolean operator as such:

filter firewall_ddos_filter { host("10.1.1.1") or host ("10.1.1.2") and

match("Denial of Service" value("MESSAGE")((; };

My 'Default' Filtering directive looks like this (Beautified for this post but they call fit in 'paragraph' form as long as there is a semi-colon seperating each case):

filter f_dbg { level(debug); };

filter f_info { level(info); };

filter f_notice{ level(notice); };

filter f_warn { level(warn); };

filter f_err { level(err); };

filter f_crit { level(crit .. emerg); };

filter f_debug { level(debug) and not facility(auth, authpriv, news, mail); }

;

filter f_error { level(err .. emerg) ; };

filter f_messages { level(info,notice,warn) and not facility(auth,authpriv,cr

on,daemon,mail,news);

};

filter f_auth { facility(auth, authpriv) and not filter(f_debug); };

filter f_cron { facility(cron) and not filter(f_debug); };

filter f_daemon { facility(daemon) and not filter(f_debug); };

filter f_kern { facility(kern) and not filter(f_debug); };

filter f_lpr { facility(lpr) and not filter(f_debug);};

filter f_local { facility(local0, local1, local3, local4, local5, local6, loc

al7) and not filter(f_debug); };

filter f_mail { facility(mail) and not filter(f_debug); };

filter f_news { facility(news) and not filter(f_debug); };

filter f_syslog3 { not facility(auth, authpriv, mail) and not filter(f_debug)

; };

filter f_user { facility(user) and not filter(f_debug); }; filter f_uucp { fa

cility(uucp) and not filter(f_debug); };

filter f_cnews { level(notice, err, crit) and facility(news); };

filter f_cother { level(debug, info, notice, warn) or facility(daemon, mail);

};

filter f_ppp { facility(local2) and not filter(f_debug); };

filter f_console { level(warn .. emerg); };

Statistics

There's nothing more I enjoy better than some good statistics. When I run any server or service, be it at the house or at work I want to see what my server has processed over time. Beginning with version 3.1, syslog-ng now has a syslog-ng-ctl stats utility which has greatly simplified grabbing log files. Prior to 3.1 to fetch statistic files you would run: echo STATS | nc -U /var/run/syslog-ng.ctl.

Because I'm a regex geek I'm not thrilled with the semi-colons in the output of syslog-ng-ctl stats thus I run: syslog-ng-ctl stats | sed 's|;|\t|g' to clean up the output.

What you have when you type the above command is 6 columns: SourceName, SourceID, SourceInstance, State, Type and Number.

SourceName - The name of the Source, for instance: destination, source, global, center

SourceID - The ID you gave the source (a previous example was firewall_ddos_filter, other examples would be: d_mail, d_net_user, etc)

SourceInstance - The destination of the Source Instance such as a filename, or the name of an application for a program source (sql) or destination

State: - Status of the object: a (Active - Currently active and receiving data), d (Dynamic - Not continuously available) o (Once active but stopped receiving messages such as an orphaned object)

Type - Type of Statistic such as: Processed: Number of Messages that reached their destination Dropped: Number of dropped messages Stored: Number of messaged stored in message Queue waiting to be sent to destination Suppressed (not sent): Number of Suppressed Messaged Stamp: Timestamp of Last message sent. These statistics are reset when the syslog-ng service is reset.

Number: Number of Messages

Log Rotate, Log Rotate, LOG ROTATE

Was that a clear enough message for you? Rotating your message logs will save your butt in the log run. Without rotating your logs your log disk space will just continue to grow and grow eventually filling up your hard drive. Not only will log rotate save space, but it will make searching for log files on specific dates easier than pulling up a 50MB log file that you didn't set into log rotate and searching for a specific date.

Depending on your distro, logrotate is located in /etc/logrotate.conf. As this isn't a blogpost on logrotate, I'll leave your configuration up to your imagination and give you an example on how I rotate my log files:

/var/log/remote/*/ { rotate 5 weekly missingok create }

This goes through /var/log/remote/*/ every week and rotates my logs. Logs are rotated for 1 month at which point I have a cronjob that tar-zips my old logs and they are moved off to a backup location where they are kept for another month before being rotated off. In a business environment of course logs would be kept for however long management and legal dictates, but for a home environment I feel 2 months of logs is good enough to troubleshoot any problems that might have come up in that time.

Syslog Client

As each server and device is different in their setup, I won't get too in-depth into this. Syslog communicates on UDP port 514, but as I stated earlier above, I also set the main syslog server to communicate on TCP port 1000 for other devices. This allows the syslog-ng server to listen on two ports, 514 UDP for devices that can't change their ports, and TCP 1000 for servers that you can specify port numbers. Why did I put TCP 1000 and not TCP 514? Because Linux uses tcp 514 for rsh (remote shell) which would have caused some problems with my (and other's) host system. If you plan on running syslog-ng on the outside of the world (and I would assume your setting authentication, and using TLS encryption) then setting a TCP port that's not typical would be your best bet.

1. For devices all you should need to do is tell the device to point to the hostname and make sure either UDP 514 or TCP 1000 is the destination

2. For rsyslog clients add the following line:

For TCP: *.* @@ipaddress:1000

For UDP: *.* @ipaddress:514

3. For syslog-ng clients add the following line:

*New syslog Protocol* syslog(host tranport [options];

*old syslog protocol* destination d_tcp { syslog(ip("remoteip")

transport("tcp") port(1000) localport(999)}; };

destination d_udp { syslog(ip("remoteip") transport("udp") port(514)

localport(999)}; };

Conclusion

Well there you have it, a birds eye view of syslog-ng. There is plenty more that you can learn about syslog-ng, as I just went into the basics of getting started. From here you can get into macros, increased filtering, and TLS/Certificate based encryption of syslog messages (which I might cover in a later blog post). By sending your syslog messages to a centralized syslog server, and backing up said syslog server, you can rest assured that your system messages are secure and easy to get to when you need them.

As promised earlier, here are the links to get you started with syslog-ng:

The syslog-ng Open Source Edition 3.1 Administrator Guide (HTML) http://www.balabit.com/sites/default/files/documents/syslog-ng-ose- v3.1-guide-admin-en.html/bk01-toc.html (http://www.balabit.com/sites/default/files/documents/syslog-ng-ose-v3.1-guide-admin-en.html/bk01- toc.html)

The syslog-ng Open Source Edition 3.1 Administrator Guide (PDF) http://www.balabit.com/support/documentation/syslog-ng-pe-v3.2- guide-admin-en_1.pdf (http://www.balabit.com/support/documentation/syslog-ng-pe-v3.2-

http://www.balabit.com/sites/default/files/documents/syslog-ng-ose-v3.1-guide-admin-en.html/bk01-toc.html
http://www.balabit.com/support/documentation/syslog-ng-pe-v3.2-guide-admin-en_1.pdf
guide-admin-en_1.pdf)

All Documentation: http://www.balabit.com/support/documentation (http://www.balabit.com/support/documentation)

______________________

www.jaysonbroughton.com

Comments

Comment viewing options Threaded list - expanded Date - newest first 50 comments per page Save settings

Select your preferred way to display the comments and click "Save settings" to activate your changes.

nxlog (/content/creating-centralized-syslog-server#comment-369566) Submitted by Anonymous (http://nxlog.org) (not verified) on Fri, 10/14/2011 - 07:02.

For centralized log collection I also recommend nxlog (http://nxlog.org) . You can use it on both Linux and Windows, and has SSL support for forwarding logs in addition to the features syslog-ng has. NXLOG is also open source.

Rather than using logrotate, (/content/creating-centralized-syslog-server#comment-368054) Submitted by Anonymous (not verified) on Sat, 08/20/2011 - 12:49.

Rather than using logrotate, just use Date macros in the destination definitions, and syslog- ng will start new logfiles intself at midnight. You also end up with nice directory structures where log files are grouped by date.

Use Splunk!! it's the best (/content/creating-centralized-syslog-server#comment-367697) Submitted by Anonymous (not verified) on Fri, 08/19/2011 - 08:15.

Use Splunk!! it's the best centralized syslog (and search/reporting) solution available. DL the file and you'll have a beautiful solution up and running in 10 minutes. - really.

Splunk can collect syslog traffic (and other network feeds) or a light weight agent can be used to run commands and collect(index) their output.

http://www.balabit.com/support/documentation/syslog-ng-pe-v3.2-guide-admin-en_1.pdf
http://www.balabit.com/support/documentation
http://www.linuxjournal.com/content/creating-centralized-syslog-server#comment-369566
http://nxlog.org/
http://nxlog.org/
http://www.linuxjournal.com/content/creating-centralized-syslog-server#comment-368054
http://www.linuxjournal.com/content/creating-centralized-syslog-server#comment-367697
http://www.googleadservices.com/pagead/aclk?sa=L&ai=C3kTjDSmoVqy9GtON-QLIxJ7gCOiK6t8GkOz3-skCuPOv48cCEAEg8_SfBmDJ3ueJlKSYE6ABoJ793QPIAQTgAgCoAwGqBNMBT9Dh8MavOeeZhpI36zDwTeD7yT4hdUswDbhevTIYOg9znS4O43WG6yWbdM8__BNxRttb-OmsMkkUk2-cCjC1czndgThXdtq8tXXAVjLV0twmltHvVIPYcH3ENVDTvpGc2pPeBFpeT4m9v_IxEj60RaJx7z4Npy606r2rG3YbMgurdeYaLIA_vYn-ZgFqFAu8MNzMIUnkeqqJvfMVDy6CcmGNP5Up-F-nHyPeGWUDE5SIPGe6_bNPU3qcndmPRCZ1qZ-XKeKO5D7ApoB2dESEWisFp-AEAfoFBgglEAEYAIgGAaAGLoAHyOGCIqgHpr4b2AcA&num=1&cid=5GieHvbNvme_0kmhbnGjk3AQ&sig=AOD64_3WFxEZLN_EhK-LR2dVzIBCWtmCQQ&adurl=http://www.rei.com/product/100420/diamondback-el-oso-nino-fat-bike-2016%3Fcm_mmc%3Dad_gdn%26CAWELAID%3D120217890001841486&client=ca-pub-3600556074671070
(/users/loadedmind)

(/users/jayson-broughton)

Splunk works great, depending (/content/creating-centralized-syslog-server#comment-370099) Submitted by loadedmind (/users/loadedmind) on Fri, 11/18/2011 - 14:20.

Splunk works great, depending on the amount of data it has to parse/index. Then, you just about need a freaking supercomputer to handle that data.

Splunk (/content/creating-centralized-syslog-server#comment-367698) Submitted by Jayson Broughton (/users/jayson-broughton) on Fri, 08/19/2011 - 08:47.

True, I'll agree with you on the Splunk. I've used Splunk in the past and I love it. But for home users with less than 10 servers/devices splunk can be over-kill, with IT departments on a thin budget (or those non-profits) that can't afford Spunks licensing for over xxx ammt of data/day it can put a stop to purchasing. I swear by splunk for the middle of the line setups (20- 30 servers with less than 500MB of syslog traffic a day). But to setup and monitor a splunk server in a soho environment would probably be overkill when a small syslog-ng server with filtering would do the trick. Just my 2c. :-)

www.jaysonbroughton.com (http://www.jaysonbroughton.com)

Alternatives to Splunk (/content/creating-centralized-syslog-server#comment-368134) Submitted by Scott McCarty (http://crunchtools.com) (not verified) on Mon, 08/22/2011 - 02:50.

Another alternative is petit with syslog-ng, http://crunchtools.com/centralizing-log-files/ (http://crunchtools.com/centralizing-log-files/)

On the other hand, if you really need the power of a web gui, the is also Logzilla.

Sponsored

1. Burn 100 - Jump It Off a year ago thescene.com Self Self - CNE (sponsored) Fitness 2. Hollywood’s Forgotten Relationships 4 weeks ago 15celebs.com 15 Celebs 15Celebs.com (sponsored) 3. How This Razor Is Changing the Shaving Industry 3 months ago ad.atdmt.com Harry's (sponsored) 4. 2 Dudes on Shark Tank Reveal Trillion Dollar Idea 2 weeks ago fool.com The Motley Fool Fool.com (sponsored) 5. How Much Of Your Personal Info Is Actually Public? 7 hours ago beenverified.com Been Verified BeenVerified.com (sponsored) 6. Country Fans Stunned After Underwood Confession a week ago celebritique-online.com Celebritique (sponsored)

7. You Won't Believe Your Eyes With These Perfectly Timed Pictures! a year ago welltimedphotos.com Well Timed Photos WellTimedPhotos.com (sponsored) 8. Drool-worthy Celebs Accessories 3 months ago gossipbreak.com Gossip Break GossipBreak.com (sponsored) Beyonce

http://www.linuxjournal.com/users/loadedmind
http://www.linuxjournal.com/users/jayson-broughton
https://thescene.com/watch/self/burn-100-jump-it-off
https://thescene.com/
http://thescene.com/
http://thescene.com/
http://www.15celebs.com/celebrity-forgotten-romances/?grvVariant=521303710fb5bcb286fa3145c3cf4167
http://www.15celebs.com/
http://www.15celebs.com/
http://www.15celebs.com/
https://ad.atdmt.com/c/go;p=11252200420748;ev.a=1;idfa=;idfa_lat=;aaid=;aaid_lat=;cache=?grvVariant=b54b966386796765213992471b9c5cea
https://ad.atdmt.com/
http://ad.atdmt.com/
http://www.fool.com/mms/mark/shark-tank-video?utm_source=gravity&utm_medium=contentmarketing&utm_campaign=sharktankvsl&aid=8766&source=erbgrimu0860004&grvVariant=86e6d6f4a80118267ca0b2e0a8ae081f
http://www.fool.com/
http://www.fool.com/
http://www.fool.com/
https://www.beenverified.com/seg/?utm_source=gravity&utm_medium=content&utm_campaign=BV_GRAV_PR_BROAD2016&headline=H139&creative=BLN_COMP&grvVariant=67ab49b65c7c39536c70f7bb29020b16
https://www.beenverified.com/
http://www.beenverified.com/
http://www.beenverified.com/
http://celebritique-online.com//hottest-stories/?id=3000&kw=c1&grvVariant=191c3a0d26086ca0da4e5297be76cfd8
http://celebritique-online.com/
http://celebritique-online.com/
http://welltimedphotos.com/the-man-certainly-knows?&v=9
http://welltimedphotos.com/the-man-certainly-knows?&v=9
http://welltimedphotos.com/
http://welltimedphotos.com/
http://welltimedphotos.com/
http://www.gossipbreak.com/12-most-expensive-celebs-accessories/?grvVariant=1428d66fd76ac3c04f3877c693c3d9b7
http://www.gossipbreak.com/
http://www.gossipbreak.com/
http://www.gossipbreak.com/
http://www.linuxjournal.com/content/creating-centralized-syslog-server#comment-370099
http://www.linuxjournal.com/users/loadedmind
http://www.linuxjournal.com/content/creating-centralized-syslog-server#comment-367698
http://www.linuxjournal.com/users/jayson-broughton
http://www.jaysonbroughton.com/
http://www.linuxjournal.com/content/creating-centralized-syslog-server#comment-368134
http://crunchtools.com/
http://crunchtools.com/centralizing-log-files/
Comments for this thread are now closed. ×

0 Comments Linux Journal Login!1

Share⤤ Sort by Best

This discussion has been closed.

Subscribe✉ Add Disqus to your site Add Disqus Addd Privacy%

Recommend♥

https://disqus.com/home/forums/linuxjournal/
http://disqus.com/embed/comments/?base=default&version=373811fa7368a59f3d84510b6dd26d53&f=linuxjournal&t_i=node%2F1023623&t_u=http%3A%2F%2Fwww.linuxjournal.com%2Fcontent%2Fcreating-centralized-syslog-server&t_e=Creating%20a%20Centralized%20Syslog%20Server&t_d=Creating%20a%20Centralized%20Syslog%20Server&t_t=Creating%20a%20Centralized%20Syslog%20Server&s_o=default#
https://disqus.com/home/inbox/
http://disqus.com/embed/comments/?base=default&version=373811fa7368a59f3d84510b6dd26d53&f=linuxjournal&t_i=node%2F1023623&t_u=http%3A%2F%2Fwww.linuxjournal.com%2Fcontent%2Fcreating-centralized-syslog-server&t_e=Creating%20a%20Centralized%20Syslog%20Server&t_d=Creating%20a%20Centralized%20Syslog%20Server&t_t=Creating%20a%20Centralized%20Syslog%20Server&s_o=default#
http://disqus.com/embed/comments/?base=default&version=373811fa7368a59f3d84510b6dd26d53&f=linuxjournal&t_i=node%2F1023623&t_u=http%3A%2F%2Fwww.linuxjournal.com%2Fcontent%2Fcreating-centralized-syslog-server&t_e=Creating%20a%20Centralized%20Syslog%20Server&t_d=Creating%20a%20Centralized%20Syslog%20Server&t_t=Creating%20a%20Centralized%20Syslog%20Server&s_o=default#
https://disqus.com/
http://disqus.com/embed/comments/?base=default&version=373811fa7368a59f3d84510b6dd26d53&f=linuxjournal&t_i=node%2F1023623&t_u=http%3A%2F%2Fwww.linuxjournal.com%2Fcontent%2Fcreating-centralized-syslog-server&t_e=Creating%20a%20Centralized%20Syslog%20Server&t_d=Creating%20a%20Centralized%20Syslog%20Server&t_t=Creating%20a%20Centralized%20Syslog%20Server&s_o=default#
https://publishers.disqus.com/engage?utm_source=linuxjournal&utm_medium=Disqus-Footer
https://help.disqus.com/customer/portal/articles/1657951?utm_source=disqus&utm_medium=embed-footer&utm_content=privacy-btn
http://disqus.com/embed/comments/?base=default&version=373811fa7368a59f3d84510b6dd26d53&f=linuxjournal&t_i=node%2F1023623&t_u=http%3A%2F%2Fwww.linuxjournal.com%2Fcontent%2Fcreating-centralized-syslog-

Homework is Completed By:

Writer Writer Name Amount Client Comments & Rating
Instant Homework Helper

ONLINE

Instant Homework Helper

$36

She helped me in last minute in a very reasonable price. She is a lifesaver, I got A+ grade in my homework, I will surely hire her again for my next assignments, Thumbs Up!

Order & Get This Solution Within 3 Hours in $25/Page

Custom Original Solution And Get A+ Grades

  • 100% Plagiarism Free
  • Proper APA/MLA/Harvard Referencing
  • Delivery in 3 Hours After Placing Order
  • Free Turnitin Report
  • Unlimited Revisions
  • Privacy Guaranteed

Order & Get This Solution Within 6 Hours in $20/Page

Custom Original Solution And Get A+ Grades

  • 100% Plagiarism Free
  • Proper APA/MLA/Harvard Referencing
  • Delivery in 6 Hours After Placing Order
  • Free Turnitin Report
  • Unlimited Revisions
  • Privacy Guaranteed

Order & Get This Solution Within 12 Hours in $15/Page

Custom Original Solution And Get A+ Grades

  • 100% Plagiarism Free
  • Proper APA/MLA/Harvard Referencing
  • Delivery in 12 Hours After Placing Order
  • Free Turnitin Report
  • Unlimited Revisions
  • Privacy Guaranteed

6 writers have sent their proposals to do this homework:

Calculation Guru
Quick Finance Master
ECFX Market
Finance Master
George M.
Coursework Help Online
Writer Writer Name Offer Chat
Calculation Guru

ONLINE

Calculation Guru

I will provide you with the well organized and well research papers from different primary and secondary sources will write the content that will support your points.

$17 Chat With Writer
Quick Finance Master

ONLINE

Quick Finance Master

As an experienced writer, I have extensive experience in business writing, report writing, business profile writing, writing business reports and business plans for my clients.

$47 Chat With Writer
ECFX Market

ONLINE

ECFX Market

I have read your project details and I can provide you QUALITY WORK within your given timeline and budget.

$15 Chat With Writer
Finance Master

ONLINE

Finance Master

After reading your project details, I feel myself as the best option for you to fulfill this project with 100 percent perfection.

$27 Chat With Writer
George M.

ONLINE

George M.

I have assisted scholars, business persons, startups, entrepreneurs, marketers, managers etc in their, pitches, presentations, market research, business plans etc.

$38 Chat With Writer
Coursework Help Online

ONLINE

Coursework Help Online

I have read your project details and I can provide you QUALITY WORK within your given timeline and budget.

$42 Chat With Writer

Let our expert academic writers to help you in achieving a+ grades in your homework, assignment, quiz or exam.

Similar Homework Questions

5.2 graphing polynomial functions homework answers - An animal like protist - Drops per minute calculator - Which one of the following items is an example of a symbol in "bernice bobs her hair"? - Cryokinetics is a rehabilitative technique based on - Cost of boll and branch sheets - Eye level medium shot - Why we work by andrew curry essay - Bradford city clinical commissioning group - Captain smolsky bugsy malone - How would you describe sunset boards cash flows for 2014 - Real life romeo and juliet love stories - 36v house solar panel to 12v battery - Chatham grammar term dates - Hadoop, spark, python - Knee voltage of led - Popular vote vs electoral college pros and cons - Sales discounts with terms 2 10 n 30 mean - Inverse square law graph - Mcgraw hill connect accounting chapter 4 - Psychology - Gamescape week 2 answers - Humphry davy acid base - You may remove your goggles while in the lab - Ministry of sound 2006 dvd - Train tickets derry to portrush - The devil wears prada discussion questions - Chi-x asia pacific holdings limited - Bond energy of f2 - Bruce stevenson toyota launceston - Dehumanization in the giver - The secret to efficient teamwork is ridiculously simple - Due Friday by 3 pm - The north china lover summary - Junior doctor training program - Film form and culture pdf - Wendy Lewis 1 - Principles of advocacy in nursing - Implementing a new process : on Safety for construction industry - Columbia pictures and dreamworks pictures - Week 5 Discussion Forum: Peer Review for Cultural and Ethical Perspective Inquiry Draft - How to breed clownfish dragon in dragon mania legends - Subjective data for abdominal assessment - Http www humanmetrics com hr jtypesresult aspx - How i met my husband alice munro character analysis - Posted Below - The two merchants of seri questions and answers - Indian education sherman alexie rhetorical analysis - Ece 430 eportfolio - Landram corporation makes a product with the following standard costs - Two Paragraphs due in an Hour - Morrisons swan valley northampton phone number - Discussion - ________ are the social ties that radiate outward from the self and link people together. - Confidor pear and cherry slug - Nat 5 physics formula sheet - Active Low Pass Filters - Business assignment - Developing project managers at global green books publishing - Electric field mapping lab report discussion - Ispm 15 certificate validity - The espresso lane to global markets case study solution - Organizational behavior fifth edition pdf - Fahrenheit 451 compare and contrast essay - Bisous d eskimo lyrics - Essay - Strategic importance of cloud computing in business organizations - Bird in hand principle entrepreneurship - Alexandra wing broadgreen hospital - Rvsm contingency procedures jeppesen - Microsoft insead online business strategy and financial acumen - Yahoo finance api json - Pelton wheel experiment lab report - Child maintenance law pakistan - Social Media’s Effect on Loyalty - Mental and behavioral - HCA320 Assignment Mod 3: - Chemistry - How to measure step and touch potential - Cask of amontillado essay prompts - Performance equation in computer architecture - Chinese lion dance meaning - Heart trust nta food preparation course - "A" WORK DISCUSSION - Http www metmuseum org toah hd byza hd_byza htm - Printable tambola tickets free - 62.50 euros in pounds - Speaking Anxiety Journal Assignment - Enhanced Synthesis Paper: Doctoral Identity - Essentials of health information systems and technology balgrosky pdf - VIDEO PRESENTATION. STRAIN THEORY IS THE THEORY SELECTED - Brunswick secondary college futsal - Sociology application and reflection paper 1 - Seven domains of typical it infrastructure - Mk k545whi data socket module rj45 - Express the moment of the couple acting on the rod in cartesian vector form. - Mixing what with what improves creativity - Strategic planning for public and nonprofit organizations 4th edition pdf - A market research company wishes to find out - Describe how packet loss can occur at output ports