Showing results for 
Search instead for 
Did you mean: 

Log Consolidation

Go to solution
John Payne_2
Honored Contributor

Log Consolidation

Who's doing log consolidation out there? Are you using syslog forwarding, or something else, or a combination?

Do you have an event correlation engine out there somewhere looking for things for you?

We are looking at possibly starting some sort of log consolidation and event correlation thing. any tips?

Steven E. Protter
Exalted Contributor

Re: Log Consolidation


If by log consolidation you mean having a central log server, yes, I've done that two ways.

The first on a master mail server, all /var/log/maillog (linux) was sent via port 514 to a central server so we could see in near real time when the mail servers were under assult.

Another handy way is to dump all logs to an NFS mount mount so they sit in a central location. Normally I edit the syslog conf file to provide a local copy in case the network is out. CYA.

Steven E Protter
Owner of ISN Corporation
A. Clay Stephenson
Acclaimed Contributor

Re: Log Consolidation

You can set up syslog forwarding. A better alternative is to consider a product like OpenView Operations. OV/O makes it possible to monitor events across your enterprise and then report them to a common location. It also makes it rather easy to segragate problems so that network events go to the network admin, database events go to the DBA, UNIX problems are routed to the UNIX admins, Windows stuff goes to the Windows guys, ... . Problem escalation can be done and even automatic handling of events can be done. For example, if a filesystem is filling up, it is possible to automatically expand this resource "on the fly" after clearing some automatic tests. OV/O isn't cheap but it may be less expensive that almost any other option if high-availabilty and problem-tracking is required. Events appear in the current event monitor and are transferred to the history file as they are acknowledged. This is intended to be the sole mechanism for clearing the current event log. This means that the existence of an event in a history log is prima facie evidence that an event was detected and examined by someone --- a really nioce thing for auditors.
If it ain't broke, I can fix that.
Rita C Workman
Honored Contributor

Re: Log Consolidation

Hi John,

The only thing we're doing is syslog forwarding to one central server. And that only of certain events (not everything).
From there we have a script cron'd to run regularly to check for any events and notify parties.
We maintain the events, once forwarded, in a file for auditing.

We really don't have the resources to spend the time on setting up something larger. Wish we did.

Regards !