Syslog Server

Monkerz

Anyone know of a good free syslog server? I am currently using an older version of solarwinds, but it will not let me run as a service and I have to have the application open to log events.

exampasser

Linux distros such as CentOS/Redhat run the syslog service and you can configure the syslog service to receive log messages from remote machines.

Monkerz

I am an eTard when it comes to Linux.

RTmarc

Splunk. They have a free version and an enterprise version.

Forsaken_GA

For most enterprise deployments, I use syslog-ng, since it provides excellent filtering and logging options (each host can have it's own log file, or each type, severity level, etc, very granular)

On my home network, my traffic is low enough that I've been using the free version of Splunk and feeding it all my log files. The event correlation is pretty cool

Monkerz

Thank your for your replies. Splunk free version will definitely not work for me. I am currently looking into Syslog-ng (running on windows) and Snare Audit and EventLog Management.

Maybe I can get something to work for me. Sure wish this was in the budget.

Daniel333

Hey dude, what about Splunk free edtion won't work?

Forsaken_GA

Daniel333 wrote: »

Hey dude, what about Splunk free edtion won't work?

I'm guessing the amount of traffic that it will handle. It really doesn't give you much to play with in a production environment (which is the point, they want you to pay them). It works great for little traffic or a lab, but to use Splunk in production usually requires some cash, and from what I've gathered, the OP has no budget to implement this solution.

Monkerz

Forsaken is right on. I did not request money for this solution before the budget was finalized for the FY. I'll have to get by until next year. Just trying to get something to work till then.

Monkerz

Ok, I was able to get syslog-ng to work via cygwin. Have a question though.

Seems as if a few hundred devices have the incorrect time on them. Rather than going through every single device and changing the time to the correct time, can I make syslog-ng timestamp the messages?

Forsaken_GA

Look at the keep_timestamp setting. If you set it to yes, it will use the timestamp that was sent with the syslog message. If you set it to no, it will replace it with the timestamp of the message that was received.

However, I *sincerely* recommend that you get everything up and running on NTP so that everything has correct time. Trying to do event correlation (and not everything you'll need to look at will be logged via syslog) with incorrect time is a HUGE pain in the rear. Do yourself a favor and invest a little up front time to get everything consistent, then make sure everything is running NTP so it *stays* consistent. It'll save you alot of time later.

terryfera

Even though you've got syslog-ng setup you may want to look at Graylog2 (Graylog2 - Free open source self-hosted log management and exception tracking) if you like the idea of a more powerful way to search logs. One nice thing about it is you can use to just collect the logs from your syslog-ng server (in theory, haven't tried it ) and just use graylog for searching/analytics/alerting.

Forsaken_GA

terryfera wrote: »

Even though you've got syslog-ng setup you may want to look at Graylog2 (Graylog2 - Free open source self-hosted log management and exception tracking) if you like the idea of a more powerful way to search logs. One nice thing about it is you can use to just collect the logs from your syslog-ng server (in theory, haven't tried it ) and just use graylog for searching/analytics/alerting.

You can, you can set syslog-ng up to forward logs it's received from other server, making it a relay point, so you could have it relay into greylog.

I've tried greylog, and found it to be wanting. The impression I get is that it's basically a crappy version of splunk. However, I stipulate that is my own personal opinion, and those interested should evaluate the product for themselves.

lsud00d

Forsaken_GA wrote: »

However, I *sincerely* recommend that you get everything up and running on NTP so that everything has correct time.

This ^infinity

terryfera

Forsaken_GA wrote: »

I've tried greylog, and found it to be wanting. The impression I get is that it's basically a crappy version of splunk. However, I stipulate that is my own personal opinion, and those interested should evaluate the product for themselves.

I agree on the crappy version of splunk comment, but if you're over that 500mb/day of logs it's something slightly more powerful than straight up logging and a little more cost effective than licensing of splunk .

I also agree, try out the products for yourself, that's the only way to determine if it will fit your needs or not.

DevilWAH

KiwiKat tools make a nice syslog server both free and paid for. Simple yet effective if you dont mine some hands on configurating. Where brought out by solor winds a ew years back but last time I looked still an excelent product.