hey all,
can anybody give me an advice to implement rules,filters, and actions for large network environment
7 core switches
300 and distribution and access switch
15 routers , Wlan controllers 100 access point
thanks,
Check my other post for what rules I've documented for ASAs. These rules are great for the first 7 rules if you've got an ASA. It will also handle a lot of other devices--although some exceptions are probably needed. Then you can process all the other devices.
It's near impossible to provide a one shoe fits all for any enterprise.
Syslog, by it's very nature, behaves differently per vendor, per hardware.
In general EMERGE, CRITICAL (Varies) & ALERTS (varies wildly) should be emailed. But some devices will sapm you with things at CRIT & ALERT that are not critical or worthy of alerting.
Find a GREP tool for the OSes you use. I prefer to perform GREPs right on the syslog server (Windows) rather that across network shares. Simply far faster. I use WinGRep, but the product doesn't function well past Server 2003--so I'm looking at other Windows GREP GUIs. Learning a good grep tool is vital to being able to get what you need to know from your logs.
How you organize--depends upon your enterprise and, to some degree, how you think. If you have a problem in CITY-A, do you want your logs segregated by Location (in most cases YES). If you have lots of WAN-to-WAN issues, you might prefer to have all your WAN routers logged to a single folder. We've broken them up by Distributions beneath a site. FW are separate usually due to sheer volume. We also separate wireless because it is a large volume and there is a lot that can be ignored on the wireless side.
\\site-A\Distrib-A\2011-04\2011-04-13_SITE-A-DISTRIB-A.log
\\site-A\Distrib-B\2011-04\2011-04-13_SITE-A-DISTRIB-B.log
Every segmentation requires a different rule and a different filter. So you will find limits to how much you can carve things up.
I can tell you the the WLAN controllers may send you thousands of ALERTS a day. Which you may be justified in ignore 100% of them. Other ALERTs form routers and switches you SHOULD be acting on. I don't know if I've seen an ALERT on a WLC that was worth an email.
SolarWinds solutions are rooted in our deep connection to our user base in the THWACK® online community. More than 195,000 members are here to solve problems, share technology and best practices, and directly contribute to our product development process.