Multiple syslog sources

Comments

9 comments

  • Avatar
    Ben Newton

    Kevin,

    If you put too many kinds of data in a single syslog source, you lose the benefit of the Source Category metadata field. I would recommend having a different source network and OS data. You can still use the same collector, if you like, since you can create one than one syslog source on different ports.

     

    Ben

    0
    Comment actions Permalink
  • Avatar
    Kevin Francis

    Thanks Ben.

    Our issue is that both the OS team and the network team want to use port 514.  They want to keep to standard port numbers. :(

    -Kevin

    0
    Comment actions Permalink
  • Avatar
    Ben Newton

    Can you use two separate collectors?

     

    Ben

    0
    Comment actions Permalink
  • Avatar
    Kevin Francis

    That would invovle setting up a collector on a different server, correct... since we can not have two sources on the same collector using the same port. Correct?

    0
    Comment actions Permalink
  • Avatar
    Ben Newton

    Yes, correct. That is an OS restriction, not a Sumo Logic restriction, though :).

     

    Ben

    0
    Comment actions Permalink
  • Avatar
    Kevin Francis

    Would be great if we could assign multiple IP addresses to a NIC, and when creating sources assign different IP addresses. But not sure if that would be limited based on OS as well.

    I'll need to setup collectors on other servers somewhere now to split up syslog and network traffic to use source catagory tag. Was trying to see if there were any other options.

    0
    Comment actions Permalink
  • Avatar
    Ben Newton

    Good point, Kevin. You can put in a feature request for that here:

    https://support.sumologic.com/forums/20276862-Feature-Requests

    0
    Comment actions Permalink
  • Avatar
    Mike K

    The way SYSLOGNG solves this problem it simply adds the source IP information into the log that it originated from.  Can we have this added as well here?

    0
    Comment actions Permalink
  • Avatar
    Chuck Johnson

    We have solved this a couple different ways. On our PA firewalls, you can modify the tokens the device sends in its syslog data. We then place the source category in as a hardcoded token. We also have collectors that allow us to parse on the way in, so we have a device lookup list loaded in memory on the collector and it then assigns a sourcecategory to the data on the fly. Finally, if neither of those work, we will setup separate syslog sources.

    0
    Comment actions Permalink

Please sign in to leave a comment.