[ previous ] [ next ] [ threads ]
 From:  "Kimmo Jaskari" <kimmo dot jaskari at gmail dot com>
 To:  m0n0wall <m0n0wall at lists dot m0n0 dot ch>
 Subject:  Re: [m0n0wall] Syslog server
 Date:  Thu, 29 Mar 2007 21:31:04 +0000
On 3/29/07, Ryan Crisman <rcrisman at tentec dot com> wrote:
> We are using the paid version right now.  But there is a Free version that
> limits you to 10,000 logs per day.

Isn't it 500MB of raw data per day for the free version? You also lose
some options with the free version, like password protected logins and
multiple users.

Anyway; if you are using (or can consider using) a *nix based machine
as your log server, preferrably Solaris 10  ;), you should install
syslog-ng on that one.

syslog-ng is an extremely configurable syslog daemon and allows you to
filter, sort, send to multiple destinations etc etc. Using syslog-ng
there would be no problem sending your logs to both a Splunk server
(by, for instance, creating a named pipe) and an SQL database, while
still writing everything to directories on disk for simple text
searches and easy backup of the "raw" data.

It's hardly plug and play, but it's not incomprehensible either and it
does give you great flexibility and performance.

Personally, while I love Splunk and use it a lot myself, I wouldn't
use it as the only syslog server component. In my opinion it firmly
belongs in the log searching tool department where it excels, not as
the only log storage one has. Fortunately, by placing a syslog-ng in
front of it and copying off data to it via a named pipe, one can both
retain the raw log files and get all the benefits of Splunk.

-{ Kimmo Jaskari }--{ kimmo dot jaskari at gmail dot com }--

"Much of the social history of the Western world over the past three
decades has involved replacing what worked with what sounded good." --
Thomas Sowell