Multiple syslog sources
What are people doing for syslog collector strategy?
We have a situation where we currently have all of our Unix server forwarding their syslog to Sumologic syslog source. It is working great.
The network team wants to jump on to the Sumologic bandwagon (as well they should), but the issue is that if we send them to the same syslog source the Unix team is using, we think it may be hard to search the Unix data seperately from the network data. Our original plan was to have the syslog source SourceCategory be something specific for Unix so they could search their data specifically. But if we throw the network data in there, we can't search it by SourceCatagory any longer.
Has anyone had issues where multiple types of data are coming in to a single syslog collector, and are now experiencing difficulty searching the data based on the source of the data (unix vs. network, for example)? Or are people setting up seperate syslog collectors for each source of data (one for unix, one for network, for example).
Thanks!!!!
-Kevin
-
Kevin,
If you put too many kinds of data in a single syslog source, you lose the benefit of the Source Category metadata field. I would recommend having a different source network and OS data. You can still use the same collector, if you like, since you can create one than one syslog source on different ports.
Ben
-
Would be great if we could assign multiple IP addresses to a NIC, and when creating sources assign different IP addresses. But not sure if that would be limited based on OS as well.
I'll need to setup collectors on other servers somewhere now to split up syslog and network traffic to use source catagory tag. Was trying to see if there were any other options.
-
Good point, Kevin. You can put in a feature request for that here:
https://support.sumologic.com/forums/20276862-Feature-Requests
-
We have solved this a couple different ways. On our PA firewalls, you can modify the tokens the device sends in its syslog data. We then place the source category in as a hardcoded token. We also have collectors that allow us to parse on the way in, so we have a device lookup list loaded in memory on the collector and it then assigns a sourcecategory to the data on the fly. Finally, if neither of those work, we will setup separate syslog sources.
Please sign in to leave a comment.
Comments
9 comments