On Thu, 16 Jun 2005, mrgenius wrote:
Hi all! I belongs to a relatively huge orginization. And we are not going to impliment Centralized Logging. But I have Few considerations and Things in mind whihc i needs to be rectified. We are ISP having around 8-9 Cisco routers ranging from 2600 to 7200 series. around 30MaxTNT Access Servers and aroud 20 Cisco Switches.
Hallo! So we are talking about 60 Sources here. Not very much compared to other setups.
NOw i have Few Questions - What is Facility?? is it log message type ?? "DEBUG INFO NOTICE WARNING ERROR CRIT ALERT EMERG " . Because All Devices supports defining of facility from local0 to local 7. And Some devices like MaxTNT have options of definit facility as well as log level (having options of DEBUG INFO NOTICE WARNING ERROR CRIT ALERT EMERG)
The facility is the part of the system that generates the message, and the priority simply gives you an idea if its urgent or not. part of the system may be: mail system, kernel messages, authorization subsystem etc. There are some facilities pre-defined, and for special use there are the local0-7 facilities- think of them as reserved for private use like 192.168.x.x IP Range.
- Altough i know it depends on logs/time duration. But i would like to know what kind of machine is needed to runn syslog server (linux based) with stability? Will Dual XEON with 512k ram be enough?? And how about Harddisk size?
Syslog is mostly I/O-Bound, so any Xeon is fine- in fact, I have seen a Sun with 450 MHz and 4 CPUs (ok, Sparc architecture) pushing about more than 2000 lines of syslog messages per _second_, so dont worry. Mostly the HDD bandwidth/access times is the bottleneck in high-volume syslog. HDD size depends on what the ciscos deliver- in case they only tell you that some ports went up/down, some user logs in, and a bgp-session goes hickup, then ist very low-volume, then you can get very far with about 1 GB space for the logs, especially when you rotate an zip old logs.
Please if some one who has implimented syslog in such orgnization structure as i have.. suggest me answers of above said Question.
Ok, I did some testing stuff recently for implementing some centralized syslog server, and my testing box never went over 100MB RAM in use, and also the I/O from the HDD was sufficient- that was an old desktop recycled for testing. Calculation: a syslog message is mostly max. 100 bytes- when you get about 1000 Messages/hour, we are talking here about roughly 2.5 MB/day of messages... Depending of what you like your Ciscos to tell you, but typical important things like Port up/down, bgp hickups etc. should not be more that above figure... HTH Olaf -- Olaf Hoyer ohoyer@ohoyer.de Fuerchterliche Erlebniss geben zu raten, ob der, welcher sie erlebt, nicht etwas Fuerchterliches ist. (Nietzsche, Jenseits von Gut und Boese)