HPE Community
Operating System - HP-UX
1752728 Members
5845 Online
108789 Solutions
New Discussion юеВ

Log Consolidation

 
SOLVED
Go to solution
John Payne_2
Honored Contributor

тАО10-15-2007 03:08 AM

тАО10-15-2007 03:08 AM

Log Consolidation

Who's doing log consolidation out there? Are you using syslog forwarding, or something else, or a combination?

Do you have an event correlation engine out there somewhere looking for things for you?

We are looking at possibly starting some sort of log consolidation and event correlation thing. any tips?

Thanks
John
Spoon!!!!
0 Kudos
Reply
3 REPLIES 3
Steven E. Protter
Exalted Contributor

тАО10-15-2007 03:38 AM

тАО10-15-2007 03:38 AM

Solution

Re: Log Consolidation

Shalom,

If by log consolidation you mean having a central log server, yes, I've done that two ways.

The first on a master mail server, all /var/log/maillog (linux) was sent via port 514 to a central server so we could see in near real time when the mail servers were under assult.

Another handy way is to dump all logs to an NFS mount mount so they sit in a central location. Normally I edit the syslog conf file to provide a local copy in case the network is out. CYA.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Reply
A. Clay Stephenson
Acclaimed Contributor

тАО10-15-2007 04:04 AM

тАО10-15-2007 04:04 AM

Re: Log Consolidation

You can set up syslog forwarding. A better alternative is to consider a product like OpenView Operations. OV/O makes it possible to monitor events across your enterprise and then report them to a common location. It also makes it rather easy to segragate problems so that network events go to the network admin, database events go to the DBA, UNIX problems are routed to the UNIX admins, Windows stuff goes to the Windows guys, ... . Problem escalation can be done and even automatic handling of events can be done. For example, if a filesystem is filling up, it is possible to automatically expand this resource "on the fly" after clearing some automatic tests. OV/O isn't cheap but it may be less expensive that almost any other option if high-availabilty and problem-tracking is required. Events appear in the current event monitor and are transferred to the history file as they are acknowledged. This is intended to be the sole mechanism for clearing the current event log. This means that the existence of an event in a history log is prima facie evidence that an event was detected and examined by someone --- a really nioce thing for auditors.
If it ain't broke, I can fix that.
0 Kudos
Reply
Rita C Workman
Honored Contributor

тАО10-15-2007 04:55 AM

тАО10-15-2007 04:55 AM

Re: Log Consolidation

Hi John,

The only thing we're doing is syslog forwarding to one central server. And that only of certain events (not everything).
From there we have a script cron'd to run regularly to check for any events and notify parties.
We maintain the events, once forwarded, in a file for auditing.

We really don't have the resources to spend the time on setting up something larger. Wish we did.

Regards !
Rita
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.