nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: improving signal to noise ratio from centralized network syslogs

From: "Scott Weeks" <surfer () mauigateway com>
Date: Mon, 5 Feb 2018 10:49:42 -0800


--- tarko () lanparty ee wrote:

This is done with the 'logging facility'
command on the devices:

After defining your syslog server's IP
address and the level of messaging you want
(I set it to debug because I want to see
everything):

on the routers: logging facility local0
on the switches:  logging facility local1


Alternative, and more universal, way to do it is to use multiple IPs for 
syslog server. Then configure correct syslog server IP on the device.

syslog-ng and others can all do filtering to different destinations 
based on the IP where message was received.
------------------------------------------------


The nice thing about the simple way is you see 
everything that's happening on the network, except
what you 'egrep -v' out, which you already know 
about.  Then you find things you weren't expecting.
  
You don't go looking for stuff.  You just watch the 
network events scroll by in real time ans see what 
shows up.

I have no knowledge of syslog-ng.  Does it do the
real time scrolling like I mention?

scott
Previous By Date Next
Previous By Thread Next

Current thread: