I would start limiting from the pix what messages it logs. no logging message 106001 for example "Cary, Kim" <Kim.Cary@pepperdine.edu> wrote: I just got logging going with syslog-ng in the last couple weeks (first client is our PIX 520). We can have up to 20Gb/day from our PIX. When compressed, the logs are up to 2Gb/day. We do want a record of all sessions for forensics & troubleshooting (already saved us hours of time) but the log format is quite verbose. Because of that verbosity, I was thinking of writing just key fields to a MySQL database as you suggest. However, I don't want to get into a situation where the only reporting is whatever report script I have time to write... If Joseph or someone else has a suggestion for fields to insert into the db and a reporting package to use, I'd appreciate it. Kim Cary InfraSec Admin Pepperdine University On Oct 29, 2004, at 5:43 AM, syslog-ng-request@lists.balabit.hu wrote:
server. The central server is currently piping the information to a Mysql database. Each incoming device writes to its own table in the database. A modification to this we would like to accomplish is to key various pieces of information stored in the "message" field.
For example, syslog messages sent from the mail servers will contain the sender, recipient, delivery status in the "message" field. Our thought is to key these pieces of information for quick lookup. Some of the systems (Cisco Pix) are sending up to 5G of information a day. Another reason to key the information.
syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html --------------------------------- Do you Yahoo!? Yahoo! Mail Address AutoComplete - You start. We finish.