Syslog Server Requirements

We have NPM 11.5.2 and we are thinking of integrating our Cisco Syslogs into our monitoring. We have about 170 devices we want to pull logs from and keep up to 3 months (most likely more) of logs to monitor from. We are using several SW products (SAM,WPM,NTA, etc) so our NOC is constantly in the console checking and fine tuning.

My question is this:

1. How much resource allocation should we plan for with the devices and time we want to keep?

2. Should we expect a performance hit in terms of using the products?

3. Could we have a separate DB for Syslog?

Find more posts tagged with

syslog server

Accepted answers

All comments

cjfranca

look this Orion multi-module system guidelines

arachenta

Thanks for this. Do you know of any documentation on separate databases for another module?

RichardLetts

You cannot separate the databases out for the modules -- there is simply too much shared data between them

You have to assess the volume of syslog data and decide what you need to keep in SolarWinds. talk with your security or audit staff about what they might need -- they are the ones with most interest in policy around this.

I'm going to suggest that unless your devices are really chatty 170 sources really should not be generating significant load.

As an example here we record syslogs to a syslog server for archival/audit purposes, and the same logs to Solarwinds/Orion for operational purposes.

I filter the logs that we retain in Orion (discarding messages in the syslog rules) so only operationally significant events are retained, and only keep them for 30 days.

We have around 5M syslog records (~= 2 syslog messages/second) for ~5000 log sources

this illustrates a problem you may run into:

count	Nodeid
2173829	7160
447312	9436
295492	0
240080	5747
196708	6746
164658	5559
160784	10923
87847	7836
75628	6598

You can see that a small number of nodes count for lots of the messages (and nodeid 7160 went nuts)

Node 0 == this is some as yet unknown device sending us syslog data.