We are a small shop IT department and it has been emphasized to us to monitor our syslogs. We do not have a lot of background in this. I have been playing with KIWI but the amout of logs to gather is overwhelming. We need some guidance or best practices for setting up a log server and what to focus on. We have firewalls, switches and multiple windows servers. I can easily gather all the info but knowing what to focus in on is the hard part. Any guidance would be helpful. Out of all the documentation I have not found something like this or I dont know what to look for. Thanks!
Without getting too technical, like bkyle said, you have to know what it is you want to focus on. I have a couple of rules setup for my firewalls. One that simply dumps everything to log files, and another that looks for specific messages (i.e. User logins, command inputs), when those message IDs are found an email is sent with a copy of the syslog message.
You can have Kiwi alert on things such as
- failed/successfull login attempts
- Configuration Changes
- Interface status changes
- Connections to/from specific IPs
I know all of mine seem to be geared more towards firewall equipment, but depending on what you're monitoring, you'll know whats important to you and what's not.
Phillip this really depends on your logging compliance needs. Most of the traffic most people receive (up to 98%0 are informational messages. I would configure your devices to send notice and above. This should drastically reduce the number of syslogs coming into your Kiwi Syslog server.
SolarWinds solutions are rooted in our deep connection to our user base in the THWACK® online community. More than 150,000 members are here to solve problems, share technology and best practices, and directly contribute to our product development process.