Re: syslog and network management

[david () lang hm]

On Wed, 20 Feb 2008, Darden, Patrick S. wrote:

> 3.  Performance-wise, is there anything special needed?  Not really. 
> It depends on the size of the network, number of devices, how much 
> detail you are recording, etc.  What you describe is a good basis for 
> starting.  Proably the three best things you could do would be: dual 
> core cpu (any decent ghz), a great NIC (or two, lots of udp bursts from 
> syslog), and lots of storage (you would want to keep at least 1 year in 
> local drive space).

if you end up doing much searching through your logs you can end up eating 
a LOT more CPU then you imagine, especially as you correlate things and 
end up searching for more related items at a time.

I've also found that it's faster to gzip the logs as you rotate them and 
search through the compressed logs then to search through the same volume 
of logs uncompressed.

what I do on my very busy servers is to put one high-rpm SCSI drive and 
one (or more) large SATA drives in the box. I have syslog write to the 
SCSI drive and then when I rotate the logs I save them to the slow, but 
cheap SATA drive.

David Lang
_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards