Re: improving signal to noise ratio from centralized network syslogs

[Jippen <cheetahmorph () gmail com>]

I really recommend setting up fluentd, and then routing logging from there
- it makes it very easy to keep auditor-appeasing logs, while also having
important stuff sending pages. Log aggregation, organization, and search is
a hard problem, other people have already done it and provided it as a
service, and chances are its NOT a core competency or secret sauce at your
organization.

Once you get your logs in one routing system, you can do a lot with them,
but stop rolling your own. This is a prime area for most companies to buy
something that works better, for less than the cost of developing in house.
And if you run your own aggregation layer - then you can easily try out a
bunch of different systems and add/remove them easily. :)

Also, you may want to see one level of logs, but your auditors might wanna
see another, and your engineers/sec team might wanna do some analytics on
them. Being able to provide a solution for everyone who needs network logs
at whatever detail level they ask for will make you popular at your
organization.

On Sun, Feb 4, 2018 at 12:21 AM, Tarko Tikan <tarko () lanparty ee> wrote:

> hey,
>
> This is done with the 'logging facility'
> > command on the devices:
> >
> > After defining your syslog server's IP
> > address and the level of messaging you want
> > (I set it to debug because I want to see
> > everything):
> >
> > on the routers: logging facility local0
> > on the switches:  logging facility local1
>
> Alternative, and more universal, way to do it is to use multiple IPs for
> syslog server. Then configure correct syslog server IP on the device.
>
> syslog-ng and others can all do filtering to different destinations based
> on the IP where message was received.
>
> --
> tarko