08-21-2014 12:35 PM
Havs anyone tried to use Logstash to centralize the syslog files, and send syslog mesage to NetMRI? Could you please share your experience?
08-25-2014 08:37 AM
We use similar centralize syslog server, the server receives the logs from device then forward to NetMRI collector (OC setup, so we forward to collectors)
One thing we notice is that the syslog forwarding is little bit delay because the extra hop it goes through.
Overall, the syslogs look like coming from the device directly from NetMRI's point of view.
08-28-2014 01:32 PM
How do you configure the source info on syslog message (syslog server IP/host name or device IP/Host name?
08-29-2014 12:38 PM
The source info should remains device IP. Your syslog server should not modify the IP header of forwarded message, that is how NetMRI collector reconignizes the device IP and triggers a real time config capture.
BTW, I am talking about source IP in the IP header, not syslog message itself.
08-29-2014 06:38 PM
It would be preferable to do as you plan, and send events to a syslog receiver and have it forward them to NetMRI. This puts the least load on the NetMRI appliance.
However, some versions of syslog receivers will not spoof the IP header - that is, they will forward the message, but the source IP in the header will be the syslog receiver, NOT the original device. In that case, the NetMRI will see the data as coming from the syslog receiver, which will prevent it from properly associating it with the original device.
If your syslog receiver suffers from this flaw, you should send the syslog events directly to the NetMRI; the NetMRI can then forward them to the syslog receiver for additional processing/storage/indexing. The NetMRI will ensure that the source IP of the packet contains the original device IP, not the NetMRI IP. You can configure up to 3 forwarding locations in the settings screen.