syslog server

Maximino_Velazquez · June 6, 2016, 8:59pm

Hi nanog community

I need help !!

What is the best syslog server (opensource)?

Thanks for your help

Regards.

Valdis_Kletnieks · June 7, 2016, 6:25am

Step 0: Define what "best" means in your environment.

What features do you need? Routing to a central aggregation server over TLS?
Powerful regex-based routing? Ingestion into a database (a la splunk or Elk)
for data mining? Ability to deal with insanely high message rates? Other
must-have or don't-care features? License pricing? Vendor support?

Step 1: After figuring out what you need, make a matrix of the available
options and how well they fit.

(We have in production syslog-ng, rsyslog, splunk, Elk, and probably a few
others I've forgotten, for different purposes....)

David_Hubbard · June 7, 2016, 7:02am

https://www.graylog.org/

STARNES_CURTIS · June 7, 2016, 11:26am

+1 on Graylog

Alain_Hebert · June 7, 2016, 12:36pm

Well,

I'll say an ELK stack, but seeing the original question...

I got to ponder on the capacity of the OP.

Peter_Loron · June 7, 2016, 5:24pm

I’m a big fan of Graylog.

-Pete

Cashell_Christopher · June 7, 2016, 9:55pm

There is no "best" when it comes to something like Syslog. There is only "best fit for your requirements". In order to determine that, you'll have to figure out what your goals and requirements are.

If you're just trying to do something basic and simple, like get logs from one machine to another, you should probably use what is available and supported by your vendor/distribution. For Debian/Ubuntu, you have Syslog-NG and RSyslog available. For Red Hat/CentOS, you have RSyslog as the default, and Syslog-NG available in EPEL. For other Operating Systems, you'll have to talk to your vendor or do some additional research.

If you want to do more than basic log shipping, then you've got some research to do. You need to map out the problem you're trying to solve, and decide on the requirements to accomplish it. Basic syslog is pretty easy. Enterprise log management is a lot more complicated. You start throwing in log aggregation, retention requirements, reliability requirements, encryption, log search, monitoring and alerting, etc., and you've got yourself a project.

There are multiple excellent Open Source solutions, but without knowing what you're trying to accomplish, it's difficult to recommend anything.

Grant_Ridder · June 8, 2016, 12:28am

+1 for ELKK (with kafka)
Doing several hundred GB of log per day with a dozen instances on AWS (ES
cluster + logstash hosts + kafak cluster)

-Grant

Andrew_D_Kirch1 · June 8, 2016, 1:04am

Journald is excellent. The binary storage format is a huge leap forward.

Andrew

Lars_Lehtonen · June 17, 2016, 9:39am

Greylog and Logstash are for having a convenient index of log messages,
but they're not particularly robust.

I've not seen syslog-ng crash, so I use it for collecting (and shipping)
log data. Logstash is convenient, pretty, and utterly unreliable. You
end up needing both.

- ---
Lars Lehtonen