• State Not Answered
  • Locked Locked
  • Replies 8 replies
  • Subscribers 39 subscribers
  • Views 2755 views
  • Users 0 members are here
Options
Related
This discussion has been locked. The information referenced herein may be inaccurate due to age, software updates, or external references.
You can no longer post new replies to this discussion. If you have a similar question you can start a new discussion in this forum.

How long do you retain your SYSLOG messages?

lchance

Right now I only keep syslog messages for 7 days due to trying to keep control of performance and Orion's database size.

However, we need to keep these much longer - maybe 12 to 18 months for Compliance/Audit, but only for our network devices (Routers, switches, Pix, ASA, Sonicwall .etc)

Could I expect Orion to adjust with this type of growth and keep it's performance tight or should I go another way, like allow our Corner-Bowl-Log-Manager to take on network syslogs?

NOTE: I anticipate getting RAID1-0 for Orion later in 2011, providing better disk performance and a much larger database, even for syslog retention. Disk space will not be an issue.

But my question is, how much of our historical syslog messages can Orion's database handle without degrading?

Right now it is only 1.1GB out of NETPERFMON's 38.0 GB. So, it may end up SYSLOG tables will become the bulk of NETPERFMON.

So if syslog alone becomes 58GB is there concern making future reports, queries, etc from this size database/tables?

  • 0

    Here was an idea I heard last week regarding this very subject.

    #1 - Use Kiwi to be the front Syslog server, then have Kiwi foward those selected types of events you want to be on Orion. This way, you can archive, burn to DVD etc. much better on the Kiwi box.

    #2 - Retention. I need to keep mine for about 5 years.

    Shawn

  • 0 in reply to shawnwaldman

    I completely agree - there's a definite need to make the determination between what's active and online and what's available but offline.

    Kiwi Syslog's ability to forward a message while keeping the device's original IP (via local subnet spoofing) is a killer feature.

  • 0 in reply to seigniory

    yea I currently use the log to file feature in orion but its very very very buggy...

    i still think solarwinds should just improve the existing syslog server in orion! like a feature to log both to database and to the same way kiwi keeps their syslogs... then set a retention to ~10days in orion and keep the files from "kiwi" for however long we desire :)

    EDIT: btw, we still log to the database and have the retention set to 12months, which is for how long we need to keep it at least... the syslog table is almost 20GB!

  • 0

    Kiwi Syslog Server (even the free version) will log all your syslogs to an SQL database, seperate from NPM.

    You can set nodes to send syslogs to the same IP on different port numbers.

    So with Kiwi Syslog Server on the same server as NPM, if you have Kiwi listening on the the default port (514) and NPM listening on a different port (can be configured in <install dir>\SyslogService.exe.config) then you can have Kiwi logging to a DB and NPM alerting on syslog events.


    Anyway, in Orion NPM syslogs are only supposed to be used for real time alerting, not for historical storage.

  • 0 in reply to FieldSupp0rt

    well, but everything else in orion is made for history and reporting... :)

    at some companies its more difficult than you might think to use an additional software for it. if you bought orion to replace cattools and kiwi syslog, its difficult to explain why you would now need the free kiwi syslog version to replace orion again ;-)

  • 0 in reply to Questionario

    I'm curious, does this retention policy (or lack of it) apply for traps too ? I don't see how I can retain my trap for 12 months in my solarwinds app.

  • 0 in reply to whoami


    I'm curious, does this retention policy (or lack of it) apply for traps too ? I don't see how I can retain my trap for 12 months in my solarwinds app.



    No, traps use their own retention policy.  Trap retention is configured from within the Trap Viewer console tool on older versions but is configured in the Admin section of the WebUI on more recent versions. 

    Older Versions

    Log into your primary NPM console and launch the Trap Viewer, once in there go to File --> Settings --> General Tab, now you should see a slider bar where you can adjust the retention.

    Newer Versions

    Go to the Admin Section of the WebUI, click on Polling Settings.  Now in the Database Settings section you should see an option to configure trap retention.

    Hope this helps!

  • 0

    The Syslog and Trap Configuration recommendations I give Customers are to use Kiwi Syslog Server (there is a free option available). Orion was not designed to retain all Syslog and Traps in the Database for an extended time period of time, but was designed to Alert on the Syslog and Traps coming in. I always suggest that you have all Syslog and Traps go into the Kiwi Syslog Server and create Rules to forward your important logs to the Orion Server to generate Alerts.

    Separating your Syslog and Trap use into Kiwi Syslog will give you more functionality from the Orion variant, and it will allow you to save it into a separate Database or Log Files depending upon how long or how you would like to store your Data.

SolarWinds solutions are rooted in our deep connection to our user base in the THWACK® online community. More than 195,000 members are here to solve problems, share technology and best practices, and directly contribute to our product development process.

SolarWinds Customer Success Center Certification Media Vault Link Accounts
About THWACK Blogs For Government Edit Settings Free Tools & Trials
Legal Documents Terms of Use Privacy California Privacy Rights Security Information
©2024 SolarWinds Worldwide, LLC. All Rights Reserved.