Reply
Highlighted

Centralize syslog files using Logstash?

KZhou_2
Techie
Posts: 7
7244     0

Hi there,

Havs anyone tried to use Logstash to centralize the syslog files, and send syslog mesage to NetMRI? Could you please share your experience?

Thanks,

Kevin

Hi Kevin,

Authority
Posts: 41
7245     0

Hi Kevin,

We use similar centralize syslog server, the server receives the logs from device then forward to NetMRI collector (OC setup, so we forward to collectors)

One thing we notice is that the syslog forwarding is little bit delay because the extra hop it goes through.

Overall, the syslogs look like coming from the device directly from NetMRI's point of view.

Thanks,

Nick

Centralnized syslog server?

KZhou_2
Techie
Posts: 7
7245     0

Hi Nick,

How do you configure the source info on syslog message (syslog server IP/host name or device IP/Host name?

Thanks,

Kevin

Hi Kevin,

Authority
Posts: 41
7245     0

Hi Kevin,

The source info should remains device IP.  Your syslog server should not modify the IP header of forwarded message, that is how NetMRI collector reconignizes the device IP and triggers a real time config capture.  

 

BTW, I am talking about source IP in the IP header, not syslog message itself.  

 

Thanks,

Nick

It would be preferable to do

Adviser
Posts: 357
7245     0

It would be preferable to do as you plan, and send events to a syslog receiver and have it forward them to NetMRI. This puts the least load on the NetMRI appliance.

However, some versions of syslog receivers will not spoof the IP header - that is, they will forward the message, but the source IP in the header will be the syslog receiver, NOT the original device. In that case, the NetMRI will see the data as coming from the syslog receiver, which will prevent it from properly associating it with the original device.

If your syslog receiver suffers from this flaw, you should send the syslog events directly to the NetMRI; the NetMRI can then forward them to the syslog receiver for additional processing/storage/indexing. The NetMRI will ensure that the source IP of the packet contains the original device IP, not the NetMRI IP. You can configure up to 3 forwarding locations in the settings screen.

John

I see. Thanks Nick. Kevin

KZhou_2
Techie
Posts: 7
7245     0

I see. Thanks Nick.

Kevin

Showing results for 
Search instead for 
Do you mean 

Recommended for You