<div>| Tom Le wrote:<br>| > There are commercial tools you can consider as well but cost is very<br>| > high for this type of distributed architecture (several hundred<br>| > thousand dollars USD)<br>| <br>| Bazsi wrote:
<br>| Can you elaborate on these tools? I would be interested even in private,<br>| if you think it is too off-topic here.</div>
<div> </div>
<div>Yes, both Splunk and LogLogic provide distributed and high volume/high performance index, archive, and search capabilities. Splunk even has distributed search, redundancy, and distributed routing logic you can apply for syslog messages. You can try out Splunks for free, 500-MB log size per day limit and some enterprise features disabled.
</div>
<div> </div>
<div>Like I said, these deployments can be expensive vs. what you can do with syslog-ng and some home grown integration. The question really is what exactly do you need? Do you need the ability to query free form text with various compliance reports and alerts available out-of-the-box? Do you need to configure alerts based on specific events or content within the log messages (this then starts become an event monitoring discussion). Do you need specialized reports for specific device types like firewall logs, router logs, Windows logs, etc.
</div>
<div> </div>
<div>Or is centralized collection of logs by itself sufficient (in which case, syslog-ng is all you need). In some large environments, grep'ing and processing GB's or TB's of data is not the answer so you need the high end commercial tools.
</div>