Multiple syslog sources

Follow

Kevin Francis

• September 13, 2013 20:12

What are people doing for syslog collector strategy?

We have a situation where we currently have all of our Unix server forwarding their syslog to Sumologic syslog source. It is working great.

The network team wants to jump on to the Sumologic bandwagon (as well they should), but the issue is that if we send them to the same syslog source the Unix team is using, we think it may be hard to search the Unix data seperately from the network data. Our original plan was to have the syslog source SourceCategory be something specific for Unix so they could search their data specifically. But if we throw the network data in there, we can't search it by SourceCatagory any longer.

Has anyone had issues where multiple types of data are coming in to a single syslog collector, and are now experiencing difficulty searching the data based on the source of the data (unix vs. network, for example)? Or are people setting up seperate syslog collectors for each source of data (one for unix, one for network, for example).

Thanks!!!!

-Kevin

1

• 

  Ben Newton

  • September 13, 2013 20:28

  Kevin,

  If you put too many kinds of data in a single syslog source, you lose the benefit of the Source Category metadata field. I would recommend having a different source network and OS data. You can still use the same collector, if you like, since you can create one than one syslog source on different ports.

   

  Ben

  0

  Comment actions Permalink
• 

  Kevin Francis

  • September 13, 2013 20:48

  Thanks Ben.

  Our issue is that both the OS team and the network team want to use port 514.  They want to keep to standard port numbers. :(

  -Kevin

  0

  Comment actions Permalink
• 

  Ben Newton

  • September 13, 2013 20:53

  Can you use two separate collectors?

   

  Ben

  0

  Comment actions Permalink
• 

  Kevin Francis

  • September 13, 2013 22:30

  That would invovle setting up a collector on a different server, correct... since we can not have two sources on the same collector using the same port. Correct?

  0

  Comment actions Permalink
• 

  Ben Newton

  • September 13, 2013 22:31

  Yes, correct. That is an OS restriction, not a Sumo Logic restriction, though :).

   

  Ben

  0

  Comment actions Permalink
• 

  Kevin Francis

  • September 13, 2013 22:36

  Would be great if we could assign multiple IP addresses to a NIC, and when creating sources assign different IP addresses. But not sure if that would be limited based on OS as well.

  I'll need to setup collectors on other servers somewhere now to split up syslog and network traffic to use source catagory tag. Was trying to see if there were any other options.

  0

  Comment actions Permalink
• 

  Ben Newton

  • September 13, 2013 23:01

  Good point, Kevin. You can put in a feature request for that here:

  https://support.sumologic.com/forums/20276862-Feature-Requests

  0

  Comment actions Permalink
• 

  Mike K

  • March 11, 2014 14:53

  The way SYSLOGNG solves this problem it simply adds the source IP information into the log that it originated from.  Can we have this added as well here?

  0

  Comment actions Permalink
• 

  Chuck Johnson

  • June 23, 2014 19:11

  We have solved this a couple different ways. On our PA firewalls, you can modify the tokens the device sends in its syslog data. We then place the source category in as a hardcoded token. We also have collectors that allow us to parse on the way in, so we have a device lookup list loaded in memory on the collector and it then assigns a sourcecategory to the data on the fly. Finally, if neither of those work, we will setup separate syslog sources.

  0

  Comment actions Permalink

Please sign in to leave a comment.