I would take a look at your syslog rules and try to find a count of logs coming in.  Maybe try making your first syslog rule drop the syslogs (I know you won't be getting anything, but at least it is running), then you could move the drop rule down.  It could just be a bad order of rules.  Best thing to do is figure out witch rule is doing the most work and move that to the beginning and add stop processing action.

You can use:

SELECT [IP],[SysLogFacility],[SysLogSeverity],[MessageType], COUNT(*) as [count]
  FROM [NetPerfMon].[dbo].[SysLog]
  where DateTime > '2011-04-27'
  group by [IP],[SysLogFacility],[SysLogSeverity],[MessageType]
  order by [COUNT] desc

to figure out where you big talkers are.

we had the same problem when we changed the logging of the firewalls to informational which created several hundred thousand more syslogs per hour.

New to Solarwinds but my Window's 2008 R2 with quadcore 8GB RAM CPU shoot's up 90-100% when Syslog is running on NPM 10.1.2.  Soon as I shutdown the service the cpu drops back to around 30% which is good.  Any ideas on how to remedy this?  Jonathan

You can read my post HERE regarding some best practices regarding Syslog and Orion. 

Also, to get an idea of how many logs of the different types you are logging to your database there is a resource you can add to your Summary View; go to the Admin section of the Orion WebUI --> Manage Views --> Find your summary view and click Edit --> Click on he Green + to add a resource to the appropriate column --> Under "Syslog" choose Advanced Syslog Counts --> Click Submit.  This will add a Syslog count breakdown resource to your summary view that looks similiar to the following...

There is the post I was trying to find, I couldn't find it, thank you byrona!  I marked it as a favorite now.

Here is a quick snapshot of turning syslog back on for 2minutes:

Advanced Syslog Counts

Past Hour

I will leave it off, but I like the format of syslog within NPM.  I wish there was a way for it to perform better.  On all my cisco devices I pretty much just did a  logg host x.x.x.x  so they're pretty much sending informational on down.  Thanks for the responses!

Jonathan

hi jonathan,

you could either turn the logging down on all devices to warning level, that should do the trick, if you cannot do that you can create a rule which will be on top of all others that discards all syslogs with a logging level higher than warning (the first one would be the best option)

you can also figure out which devices are sending those massive informational messages (I assume it is a firewall or similar) and turn the logging level for just that one device down to warning or if you cannot do that, filter out any syslogs with a logging level higher than warning for just that one device by discarding them, again the first choice is the better one if you will be able to do that

Wow! 210137 info! your getting about 2200 a second and 1700 of them are info (based on 120 secs).  I agree with Questionario, you might want to get rid of stuff above Warning.  You could also get a Different syslog server (maybe kiwi) in front of that server that saves everything, then forward only the warning ones to orion.