What is everyone using to collect, alert, and analyze syslog data?
I am looking for something that can generate reports as well as support
multiple vendors. We have done some home grown stuff in the past but
would be interested in something that incorprates all the best features.

Soalrwinds, splunk, fwanalog, and others come to mind, any other good ones
out there?


It's a bit old but still works well. Russel Fulton and I worked on this when I was down in NZ.

You still need to run syslog-ng but this allows you to ignore, warn, alert on logs via regex.


I've been testing ManageEngines Syslog application. It works pretty good so far, I haven't really hammered
it with a lot of devices.

Splunk is suppose to be king of the hill I hear, but so is their pricing.....

We use splunk works ok except with the amount of text data you can
process with it (depends on license).


Is it really that expensive, and WORTH the expense?

Use Splunk here.


IMO, from price quotes I've gotten in the past, it's astronomically
expensive. As for worth it...depends. If you're dealing with events
for say payment processing systems, it might be. But as a general use
tool, it's way outside of being worth it. You license based on the
incoming bytes of logging data. But you still have to buy the
hardware to process it. They also expect you to pay for that license
time and time again.

Thank you! That's a bummer about the way they license their product.

All it takes is another "splunk" company to come out with something just as competitive....

I've been happy with my basic ManageEngine's syslog, but I may be looking at Solarwinds too...

I've just installed the Splunk eval myself, but I'm curious about your ManageEngine experiences. I don't have any interest in using ManageEngine as an NMS; I have a couple of tools that I use for that already. Can you use ManageEngine's syslog without having to set it up to monitor all of your devices first? Have you looked at the TRAP support in ManageEngine?

I'm obviously biased as I'm the Head Geek here at SolarWinds but if you need any help or guidance with our products feel free to ping me off list.


Have you tried qradar? It's rather good

Soalrwinds, splunk, fwanalog, and others come to mind, any other

good ones

out there?

We've made some great strides in OpenNMS in the area of syslog event
processing. The upcoming 1.10 release will be much easier to get
going, particularly since we now have pluggable message parsers -- you
no longer need Wireshark and a black belt in regular expressions to
start receiving events from syslog sources. We've also made it
possible to split the syslog rules across multiple files, which makes
maintaining your own rules much easier compared to the old monolithic

It's still not going to be Splunk-easy to configure, but it's now
darned close to Netcool OMNIbus syslogd probe-easy. Plus you get
pretty JasperReports reports based on your events like this one (or
roll your own):

Also flexible event notifications, event de-duplication, and SNMP trap
handling as well as service-assurance polling, performance data
collection via SNMP, HTTP, WMI, SQL/JDBC, and other protocols.

Oh yeah, it's 100% free / libre / open source software. And you can
get support for it from my employer.

PR hat off,
- -jeff

Good question, we do not use manageengine for NMS and I have no desire to use them either.
I tried their NMS platform last year and it was "ok", the interface just seemed a little clunky....

Setting up ManageEngine syslog was a breeze and now we get alerts based on what kind of messages
we want, it's pretty hands off, I'm sure you could fine tune it further...

But I hear that solarwinds NPM has syslog built into it, so I'm thinking of going with one product that covers
it all....

I've used Splunk and QRadar; both are available as free VMware
appliances with limitations on log volume, sufficient for testing. Or
if you're mostly looking at webserver/proxy/firewall logs, Sawmill is
worth checking out.

I've also been looking into using Lancope's replicator to take in
syslog UDP and send copies to multiple loggers, since some appliances
only support a single syslog destination.



When is 1.10 going to be released?


Hi Mike,
We have used octopussy ( yes it is work safe :slight_smile: ) with ok results.
Have used sec ( simple event correlator ) to some success in simple cases.

Currently having another look at this myself and the following look interesting, but have not deployed them yet

Ben ?

+1 for SEC, minimal hit on the cpu like most parsing tools, the regexp can be painful but it is fairly extensible. Once you get used to it you'll love it.

A sub question to this would be - is anyone using an app or client that will forward windows OS events to said collector? I've seen Loglogic and others. Was just curious if you've used a small scale version to collect security events - log on, log off, etc...?