What is everyone using to collect, alert, and analyze syslog data?
I am looking for something that can generate reports as well as support
multiple vendors. We have done some home grown stuff in the past but
would be interested in something that incorprates all the best features.
Soalrwinds, splunk, fwanalog, and others come to mind, any other good ones
out there?
Mike
It's a bit old but still works well. Russel Fulton and I worked on this when I was down in NZ.
You still need to run syslog-ng but this allows you to ignore, warn, alert on logs via regex.
http://www.ip-solutions.net/syslog-ng/
Cheers,
Harry
I've been testing ManageEngines Syslog application. It works pretty good so far, I haven't really hammered
it with a lot of devices.
Splunk is suppose to be king of the hill I hear, but so is their pricing.....
We use splunk works ok except with the amount of text data you can
process with it (depends on license).
-B
Is it really that expensive, and WORTH the expense?
Use Splunk here.
Cheers,
RR
IMO, from price quotes I've gotten in the past, it's astronomically
expensive. As for worth it...depends. If you're dealing with events
for say payment processing systems, it might be. But as a general use
tool, it's way outside of being worth it. You license based on the
incoming bytes of logging data. But you still have to buy the
hardware to process it. They also expect you to pay for that license
time and time again.
Thank you! That's a bummer about the way they license their product.
All it takes is another "splunk" company to come out with something just as competitive....
I've been happy with my basic ManageEngine's syslog, but I may be looking at Solarwinds too...
I've just installed the Splunk eval myself, but I'm curious about your ManageEngine experiences. I don't have any interest in using ManageEngine as an NMS; I have a couple of tools that I use for that already. Can you use ManageEngine's syslog without having to set it up to monitor all of your devices first? Have you looked at the TRAP support in ManageEngine?
I'm obviously biased as I'm the Head Geek here at SolarWinds but if you need any help or guidance with our products feel free to ping me off list.
Josh
Have you tried qradar? It's rather good
Soalrwinds, splunk, fwanalog, and others come to mind, any other
good ones
out there?
We've made some great strides in OpenNMS in the area of syslog event
processing. The upcoming 1.10 release will be much easier to get
going, particularly since we now have pluggable message parsers -- you
no longer need Wireshark and a black belt in regular expressions to
start receiving events from syslog sources. We've also made it
possible to split the syslog rules across multiple files, which makes
maintaining your own rules much easier compared to the old monolithic
style.
It's still not going to be Splunk-easy to configure, but it's now
darned close to Netcool OMNIbus syslogd probe-easy. Plus you get
pretty JasperReports reports based on your events like this one (or
roll your own):
http://opennms.org/~jeffg/event-analysis-sample.pdf
Also flexible event notifications, event de-duplication, and SNMP trap
handling as well as service-assurance polling, performance data
collection via SNMP, HTTP, WMI, SQL/JDBC, and other protocols.
Oh yeah, it's 100% free / libre / open source software. And you can
get support for it from my employer.
PR hat off,
- -jeff
Good question, we do not use manageengine for NMS and I have no desire to use them either.
I tried their NMS platform last year and it was "ok", the interface just seemed a little clunky....
Setting up ManageEngine syslog was a breeze and now we get alerts based on what kind of messages
we want, it's pretty hands off, I'm sure you could fine tune it further...
But I hear that solarwinds NPM has syslog built into it, so I'm thinking of going with one product that covers
it all....
I've used Splunk and QRadar; both are available as free VMware
appliances with limitations on log volume, sufficient for testing. Or
if you're mostly looking at webserver/proxy/firewall logs, Sawmill is
worth checking out.
I've also been looking into using Lancope's replicator to take in
syslog UDP and send copies to multiple loggers, since some appliances
only support a single syslog destination.
Kevin
Jeff,
When is 1.10 going to be released?
thx,
/bs
Hi Mike,
We have used octopussy ( http://www.8pussy.org/dokuwiki/doku.php?id=home yes it is work safe 
) with ok results.
Have used sec ( simple event correlator http://simple-evcorr.sourceforge.net/ ) to some success in simple cases.
Currently having another look at this myself and the following look interesting, but have not deployed them yet
http://logstash.net/
http://graylog2.org/about
Ben
+1 for SEC, minimal hit on the cpu like most parsing tools, the regexp can be painful but it is fairly extensible. Once you get used to it you'll love it.
A sub question to this would be - is anyone using an app or client that will forward windows OS events to said collector? I've seen Loglogic and others. Was just curious if you've used a small scale version to collect security events - log on, log off, etc...?