# Syslog Server...

## ee99ee2

We got a new firewall (pix 515e) and we are going to need a syslog server somewhere to be avaible for the pix to log to. Would it be smart to have the syslog server log to our database (which is on the server with tons of storage space)?

How would I configure something like metalog to log to a SQL server? I say metalog, b/c that's the one I happen to use on my desktop. Is there some logging service out there that's specificly designed to be used with SQL on the bakend?

-ee99ee2

----------

## kashani

 *ee99ee2 wrote:*   

> We got a new firewall (pix 515e) and we are going to need a syslog server somewhere to be avaible for the pix to log to. Would it be smart to have the syslog server log to our database (which is on the server with tons of storage space)?

 

I personally never bothered. I just had each device going to its own file, rotated them weekly, and used a some sort of logchecker to alert me if something bad happened. The system was roughly 16 routers and 50 switches. I was mostly looking for BGP or OSPF neighbor changes or interfaces resets. Is there some reason you want to put your logs into a db? 

Something to keep is mind is that most Cisco devices will drop logs if you try to log too much.

```

Feb 26 15:51:45 rtr3.wlv/rtr3.wlv 125: Feb 26 15:51:44.302 PST: %SEC-6-IPACCESSLOGRL: access-list logging rate-limited or missed 5 packets

```

kashani

----------

## ee99ee2

They drop log entries? LOL... how safe.. gee

But no, no reason as to why I should use a db on the backend... just thought it'd be a good idea since our SQL server has a butt load of stoarge space...

What are the diff between the diff logging servers? Syslogd, metalog, etc.?

-ee99ee2

----------

## kashani

Assuming you've got a good sized network it's probably time to have a dedicated monitoring server. In our case we're running

Apache w/ssl

MRTG

smokeping, which is fairly useless

Nagios

Postfix for sending alerts

syslogd for centralized logging

Tacacs auth and accounting

some custom transaction tests

working on system to alert off things that come into syslog

on a dedicated nms box. 40GB of space and we're about to put a second one  in other pop for redundancy. I can't imagine ever needing more then a GB for logs. Even if you needed 40, disk is cheap.

I got the idea that the difference between syslog-ng and metalog was mostly religious. In any case, here's a working syslog-ng conf for cisco devices.

```

# use FQDN and long names 

options { 

        long_hostnames(on);

        keep_hostname(on);

        use_fqdn(on);

        sync(0);

};

# lets things log from the network, might need to allow udp/514 on your firewall

source net { udp(); };

# Does a lookup on the IP the message came from and uses that as the file name

# remember to set a logging interface preferably the loopback

destination d_cisco_devices { file("/var/log/cisco/$HOST.log"); };

# you can probably do fancier stuff with this

filter f_cisco_info { level(info); };

filter f_cisco_notice { level(notice); };

filter f_cisco_warn { level(warn); };

filter f_cisco_crit { level(crit); };

filter f_cisco_err { level(err); };

# Ditto for here, too

log { source(net); filter(f_cisco_info); destination(d_cisco_devices); };

log { source(net); filter(f_cisco_notice); destination(d_cisco_devices); };

log { source(net); filter(f_cisco_warn); destination(d_cisco_devices); };

log { source(net); filter(f_cisco_crit); destination(d_cisco_devices); };

log { source(net); filter(f_cisco_err); destination(d_cisco_devices); };

```

kashani

----------

## splooge

 *ee99ee2 wrote:*   

> They drop log entries? LOL... how safe.. gee

 

Yes, you're exactly correct!  Very safe indeed.

A miskey in IOS can turn on so much logging that on a busy network it would just cripple the device.

----------

## rtn

 *splooge wrote:*   

>  *ee99ee2 wrote:*   They drop log entries? LOL... how safe.. gee 
> 
> Yes, you're exactly correct!  Very safe indeed.
> 
> A miskey in IOS can turn on so much logging that on a busy network it would just cripple the device.

 

It's also UDP, which doesn't/won't resend lost packets.  Some syslog servers

can use TCP which may give you a better guarantee that your data stream

will arrive as intended.

--rtn

----------

