For many of us, especially those of us managing firewalls, the volume of syslog messages that we receive on a daily basis can be overwhelming - especially for the systems that we have receiving, analyzing, and storing them.

Orion NPM includes a great Syslog Server - we've it tested under loads of several thousands of messages per second without issue - but if you're receiving 10,000 syslog messages every minute and you're keeping 30 days worth of history do you really need 432,000,000 syslog messages eating up resources on your database server?

One of the features that many of our diehard Syslog users swear by is the rules/alert engine built within the Syslog server. Many people use this to detect and be alerted on security threats, malicious use of resources, and etc - but not too many people know that you can also use it to automatically filter the syslog messages before they get written to your database to keep your database size in check.

To do this, simply open the Syslog Viewer and choose "File", "Settings" and then go to the "Alerts/Filter Rules" tab. Once there, build a new rule to discard the unwanted messages before they're written to the database. You can filter it so that some of the messages that you really don't care about anyway are automatically dropped - saving lots of space on your SQL server and making the important messages much easier to store, review, and search.

Anyways, hope this helps and ping me if you have any questions on this.

Flame on...
Josh