First off, not sure this is the right place for this, but I am curious if anyone has a suggestion on how to accomplish a task I have.
We currently have 2 syslog servers - kiwi Syslog and Orion SysLog service with NPM. Due to policy, I have to send ALL messages via syslog from our Cisco AS5520's to the Kiwi server (informational and up). What i am wanting to do is setup a syslog entry that ONLY sends "notify" and above messages to orion. Mainly, I am wanting to get those "Botnet" messages from the ASA to Orion so I can alert on them.
I could setup the orion box as just another syslog server, and use the DB rules to limit the data, but in just over a week, the SysLog table grew to over 30gig. Makes things a little unmanageble.
Any suggestions welcome. .Thanks!