Syslog monitor addon beta
Moderators: Developers, Moderators
Just out of curiosity, I'd like to know how many devices you all are monitoring and at what level?
We run, for instance, most of our firewalls at debug. Trying to put all of that into the database and search on it simply KILLED our previous logging server - using a similar system. Is this plugin that much more efficient?
I know one of the issues with the old system is that we were compressing the files hourly - meaning that to search them they would have to be expanded into a temporary table, etc..
We run, for instance, most of our firewalls at debug. Trying to put all of that into the database and search on it simply KILLED our previous logging server - using a similar system. Is this plugin that much more efficient?
I know one of the issues with the old system is that we were compressing the files hourly - meaning that to search them they would have to be expanded into a temporary table, etc..
Re: Can't import syslog.sql to haloe database
Fixed, I had already taken it out on my side (My second test box runs Mysql 4), but didn't happen to remove it from the one I posted online.Pumpi wrote:Problem adding syslog.sql to haloe database (using plugin):
I use command mysql haloe < syslog.sql after I have created the dabase haloe but I get following error:
I'm running MySQL server version 4.0.18 on aSUSE Enterprise Server 9.ERROR 1064 at line 5: You have an error in your SQL Syntax. Check the manual that corresponds to your MySQL server version for the right syntax to use near 'collate_latin1_general_ci default NULL, priority varchar(10)
Thanks!
When I first started testing this, I had 38 windows servers, all dumping all Event Logs (several of them domain controllers dumping 10+ authenication events every second). This worked fine, but was very ineffecient when it came to trying to process new events in order to alert and remove ones we didn't want. So I switched it to a 2 table scheme, where all new events are added to the incoming table, and from there they would be parsed, alerted on, or removed. Everything left over was moved to the normal "viewing / storage" database. At the time, my server could easily handle 100,000 events in one processing (processes every 5 minutes after the poller) and querying the database wasn't very slow at all. I did find Msyslog to begin choking at around 150,000/per 5 minutes, as it would just start dropping random ones when they were coming in that fast, I didn't try the option to delay inserts, which probably would have helped slightly, but only if the alerts ever slowed down.knobdy wrote:Just out of curiosity, I'd like to know how many devices you all are monitoring and at what level?
We run, for instance, most of our firewalls at debug. Trying to put all of that into the database and search on it simply KILLED our previous logging server - using a similar system. Is this plugin that much more efficient?
I know one of the issues with the old system is that we were compressing the files hourly - meaning that to search them they would have to be expanded into a temporary table, etc..
Since then, I have ofcourse added lots of removal rules to define things I don't ever need to see. Changed the Windows Servers to only report errors or problems, and modified lots of code, so who knows what it can handle now (maybe for the worst). My current viewing database only has 300,000 records and 42 hosts. Running 20 removal rules, and normally only process 200 new records every polling, with 10-15 actually making past the filters (sometimes up to 2000). I even have nice pretty little graphs to display the amount processed, etc..
Dumping lots of info to an MySQL database is ofcourse going to make anything go slow. Our current Netflow implmentation logs to a MySQL database, is currently 3.4 GB and holds 28 Million records. Querying that beast takes a good 10-50 seconds depending on the query. Compressing the database if you are going to be doing lots of queries just compounds the issue even further. It also depends on what type of hardware you are running, we use custom built rackmount Chasis running 1.2 Duron and 1.5G Ram. The box also polls 42 hosts, runs NTop, scans via Mactrack every 30 minutes, and for the heck of it, scans via the Discovery plugin. Load average is around .5 (higher if doing lots of Netflow queries) and usually only using around half the memory.
Re: Small change to Syslog
Thanks, I like it and will be adding it in sortly. Possibly as an option as I could see this slowing down the querying alot if you have lots of hosts and/or events.mgb wrote:Did a minor change to syslog which could be easy implemented.
I wanted to display the number of entry's per ip in the syslog database in order to see problems on certain switches or routers faster.
Changed some code in haloe.php
|snip|
Hope someone can use this
Michael
I have about 90 servers logging their syslogs into an innodb table.
On average that's 80 events per second. Just testing so far how
the system is able to handle this. Querying does get to be a little
slow when the incoming table has grown to a few millions lines.
Cigamit, planning on releasing your version? Sounds good.
Would let me not do it myself.
-J
On average that's 80 events per second. Just testing so far how
the system is able to handle this. Querying does get to be a little
slow when the incoming table has grown to a few millions lines.
Cigamit, planning on releasing your version? Sounds good.
Would let me not do it myself.
-J
I'm sure I'm doing something wrong here but I figured I'd ask and see. I've got syslog-ng piping the data to mysql and the plugin is working and displaying the syslogs, my problem is that I'll get this message:
syslog-ng[26507]: syslog-ng version 1.6.9 going down
and the only way to get things working again is to restart syslog-ng. Any ideas?
Thanks!
syslog-ng[26507]: syslog-ng version 1.6.9 going down
and the only way to get things working again is to restart syslog-ng. Any ideas?
Thanks!
GREAT tool! I was able to get it to work, I did have to make the color change to match the lowercase of my logs "info, warn, crit", etc. I am still unable to get syslog-ng to run on startup as well as the pipe script "syslogpip.sh". If anyone could help out, that'd be great!!
P.S. I am using Fedora Core 4
P.S. I am using Fedora Core 4
Donald D. Quindardo
Computer Technician & Web Master
Crawford Central School District
11280 Mercer Pike
Meadville, PA 16335
Computer Technician & Web Master
Crawford Central School District
11280 Mercer Pike
Meadville, PA 16335
can't you just put it in /etc/rc.d/rc.local ?ccsdnoc wrote:GREAT tool! I was able to get it to work, I did have to make the color change to match the lowercase of my logs "info, warn, crit", etc. I am still unable to get syslog-ng to run on startup as well as the pipe script "syslogpip.sh". If anyone could help out, that'd be great!!
P.S. I am using Fedora Core 4
be sure to use full paths for the commands
Cacti1 OS: CentOS 5.6 | 300+ devices
Cacti2 OS: CentOS 5.6 | 300+ devices
King of the Elves
Local Anarchists Union #427
"Anarchism is founded on the observation that since few men are wise enough to rule themselves, even fewer are wise enough to rule others." -Edward Abbey
Cacti2 OS: CentOS 5.6 | 300+ devices
King of the Elves
Local Anarchists Union #427
"Anarchism is founded on the observation that since few men are wise enough to rule themselves, even fewer are wise enough to rule others." -Edward Abbey
Who is online
Users browsing this forum: No registered users and 2 guests