[syslog-ng] Some Questions!

Olaf Hoyer ohoyer at ohoyer.de
Thu Jun 16 09:06:09 CEST 2005 

On Thu, 16 Jun 2005, mrgenius wrote:

> Hi all!
> I belongs to a relatively huge orginization. And we are not going to
> impliment Centralized Logging. But I have Few considerations and Things in
> mind whihc i needs to be rectified.
> We are ISP having around 8-9 Cisco routers ranging from 2600 to 7200
> series. around 30MaxTNT Access Servers and aroud 20 Cisco Switches.

Hallo!

So we are talking about 60 Sources here. Not very much compared to other 
setups.


> NOw i have Few Questions
>  - What is Facility?? is it log message type ?? "DEBUG INFO NOTICE WARNING
> ERROR CRIT ALERT EMERG " . Because All Devices supports defining of facility
> from local0 to local 7. And Some devices like MaxTNT have options of definit
> facility as well as log level (having options of DEBUG INFO NOTICE WARNING
> ERROR CRIT ALERT EMERG)

The facility is the part of the system that generates the message, and 
the priority simply gives you an idea if its urgent or not.

part of the system may be: mail system, kernel messages, authorization 
subsystem etc.

There are some facilities pre-defined, and for special use there are the 
local0-7 facilities- think of them as reserved for private use like 
192.168.x.x IP Range.


> - Altough i know it depends on logs/time duration. But i would like to know
> what kind of machine is needed to runn syslog server (linux based) with
> stability? Will Dual XEON with 512k ram be enough?? And how about Harddisk
> size?

Syslog is mostly I/O-Bound, so any Xeon is fine- in fact, I have seen a 
Sun with 450 MHz and 4 CPUs (ok, Sparc architecture) pushing about more 
than 2000 lines of syslog messages per _second_, so dont worry.
Mostly the HDD bandwidth/access times is the bottleneck in high-volume 
syslog.

HDD size depends on what the ciscos deliver- in case they only tell you 
that some ports went up/down, some user logs in, and a bgp-session goes 
hickup, then ist very low-volume, then you can get very far with about 1 
GB space for the logs, especially when you rotate an zip old logs.



> Please if some one who has implimented syslog in such orgnization structure
> as i have.. suggest me answers of above said Question.

Ok, I did some testing stuff recently for implementing some centralized 
syslog server, and my testing box never went over 100MB RAM in use, and 
also the I/O from the HDD was sufficient- that was an old desktop 
recycled for testing.

Calculation: a syslog message is mostly max. 100 bytes- when you get 
about 1000 Messages/hour, we are talking here about roughly 2.5 MB/day 
of messages...

Depending of what you like your Ciscos to tell you, but typical 
important things like Port up/down, bgp hickups etc. should not be more 
that above figure...

HTH
Olaf



-- 
Olaf Hoyer        ohoyer at ohoyer.de
Fuerchterliche Erlebniss geben zu raten,
ob der, welcher sie erlebt, nicht etwas Fuerchterliches ist.
(Nietzsche, Jenseits von Gut und Boese)

More information about the syslog-ng mailing list