cancel
Showing results for 
Search instead for 
Did you mean: 
Create Post
Level 9

Send log to Kiwi vs Save in a log file

Jump to solution

Hi there,

             I'm trying to figure out which way is better? Correct me if I'm wrong.

             Currently, I want to change log level from critical to notification. I tried to avoid fill up log storage in the swtich (e.g. 3850)

1. Kiwi: I need to change console log level in order to send notification logs to kiwi, which all the notification logs would store locally in the switch then.

2. Log file (logging logfile logfile-name severity-level [ size bytes ]):  I can just change saving log file level to notification, and still store critical logs locally in the switch.

           If I'm right about the concept, wouldn't it be better to store syslogs in a log file instead of sending to kiwi?

               Thank you!!

Best,

Lionel

0 Kudos
1 Solution

soleilion​ I'm not too sure about storing logs/files on the switches, but we benefit greatly by aggregating logs, from all of our devices/servers/etc., into Kiwi. Once Kiwi receives those logs, they are stored in various flat files based on which device/type/purpose/locations/etc. they came from. Additionally, as has happened numerous times over the years, when a device goes down hard, and we cannot turn it up or log into it, while the first person is running troubles on the device, the second person is digging into the logs, alerts, etc. to find out what happened.

While I'm not sure how your environment is configured, I know having a solid, separate, standalone syslog server works very well for us. Going to a single server, then being able to view all of the logs from all of our devices, usually works out better for us.

Thank you,

-Will

View solution in original post

6 Replies
Level 11

I agree with Will on his reasoning for using Kiwi.  Kiwi also gives you a good amount of flexibility with what you can do with the data being received..  Not just flat file storage, but potentially putting it into a database for potential future reporting/searchability.  Acting as a forwarding device to send the information on to other systems for event correlation or just data ingestion.  Alerting possibilities.  Filtering options if you want to receive the noisier information but are trying to get specific bits out of the noise.  The filtering helps reduce the amount of noisy data that could be sent on for some other event correlation/monitoring solution freeing up resources for that solution to process relevant information.

Thank you Jeff. I love your answer too. Sorry I had to choose Will's answer since he was the first one replied.

0 Kudos

j_a_catlin​ I do have a follow up question. What syslog level do you setup for L2 & L3 switches or router, espically L3 routers and nexus? Thank you!!

0 Kudos

I tend to see most systems setup around 4 or 5 depending on how critical the device may be.  That way you are getting (4)warning or (5)notice and more urgent syslog messages from the device.  You can always set it to a 'noisier' level and determine if you want to step it back a severity level based on the amount of information and actionability of the messages being received.

soleilion​ I'm not too sure about storing logs/files on the switches, but we benefit greatly by aggregating logs, from all of our devices/servers/etc., into Kiwi. Once Kiwi receives those logs, they are stored in various flat files based on which device/type/purpose/locations/etc. they came from. Additionally, as has happened numerous times over the years, when a device goes down hard, and we cannot turn it up or log into it, while the first person is running troubles on the device, the second person is digging into the logs, alerts, etc. to find out what happened.

While I'm not sure how your environment is configured, I know having a solid, separate, standalone syslog server works very well for us. Going to a single server, then being able to view all of the logs from all of our devices, usually works out better for us.

Thank you,

-Will

View solution in original post

wluther​ I do have a follow up question. What syslog level do you setup for L2 & L3 switches or router, espically L3 routers and nexus? Thank you!!

0 Kudos