Orion Syslog with Windows Syslogforwarder v1

All -

We are looking at setting up some windows event log consolidation to comply with some cyber security requirements. I currently have just one box sending syslogs to the Orion Syslog with Authentication successes and failures which works well. It is also showing up within the webconsole.

Is there a way to only present the authentication failures to the webconsole and just have the authentication successes logged in the database? The Authentication success are clogging up some of the views in the webconsole.

My other question is how much of a load can the syslog server handle? This one box I added in logged over 600,000 in one day and I am looking to add in about 350 more servers.

Regards,

Trav

Find more posts tagged with

orion_syslog

logforwarder

npm_10.2

Accepted answers

All comments

byrona

Is there a way to only present the authentication failures to the webconsole and just have the authentication successes logged in the database? The Authentication success are clogging up some of the views in the webconsole.

Yes, when you configure your syslog alert rules in the syslog console tool one of the actions you can choose it to Discard the message which will keep it from logging to the database.

My other question is how much of a load can the syslog server handle? This one box I added in logged over 600,000 in one day and I am looking to add in about 350 more servers.

This depends on how you have the rules setup in the syslog tool. See my posting HERE (2nd from the top) to review what my experiences with this have been.

Hope this helps!

FormerMember

Thanks for the info byrona! I guess I need to clarify my first question. We are required by certain regulations to keep records of success and failure login audits for 30 days. So your proposal for discarding the authentication successes does not work for me. My end goal is to have everything in the database but only have authentication failures show up in the webconsole.

Any ideas surrounding that?

byrona

My recommendation would be to get a copy of the SolarWinds Kiwi Syslog Server. You can send all of your logs to it as your archive point and it will even allow you to compress the logs to save space for long term storage. From there you can also forward just the important logs for alerting to your Orion server and spoof the original sending systems IP so in Orion it will look like it came from the original system.

The Kiwi Syslog Server is very inexpensive and you can get an evaluation copy from the SolarWind site if you want test drive before you purchase it.

FormerMember

Thanks for the quick responses and feedback! I'll definitely take this into consideration. Just out of curiosity, is there any way to set up another Orion Syslog server instead of Kiwi?