1 Reply Latest reply on Apr 13, 2011 9:51 AM by RoyalEF

    best syslog rules for enterprise network

    jack3

      hey all,

      can anybody give me an advice to implement rules,filters, and actions for large network environment 

      7 core switches

      300 and distribution and access switch

      15 routers , Wlan controllers 100 access point 

       

      thanks,

        • Re: best syslog rules for enterprise network

          Check my other post for what rules I've documented for ASAs.  These rules are great for the first 7 rules if you've got an ASA.  It will also handle a lot of other devices--although some exceptions are probably needed.  Then you can process all the other devices.

          Kiwi Syslog Server High CPU Utilization - Messages Seem to be behind

           

          It's near impossible to provide a one shoe fits all for any enterprise.

          Syslog, by it's very nature, behaves differently per vendor, per hardware. 

          In general EMERGE, CRITICAL (Varies) & ALERTS (varies wildly) should be emailed.  But some devices will sapm you with things at CRIT & ALERT that are not critical or worthy of alerting.

           

          Find a GREP tool for the OSes you use.  I prefer to perform GREPs right on the syslog server (Windows) rather that across network shares.  Simply far faster.   I use WinGRep, but the product doesn't function well past Server 2003--so I'm looking at other Windows GREP GUIs.   Learning a good grep tool is vital to being able to get what you need to know from your logs.

           

          How you organize--depends upon your enterprise and, to some degree, how you think.  If you have a problem in CITY-A, do you want your logs segregated by Location  (in most cases YES).   If you have lots of WAN-to-WAN issues, you might prefer to have all your WAN routers logged to a single folder.   We've broken them up by Distributions beneath a site.  FW are separate usually due to sheer volume.  We also separate wireless because it is a large volume and there is a lot that can be ignored on the wireless side.

          \\site-A\Distrib-A\2011-04\2011-04-13_SITE-A-DISTRIB-A.log

          \\site-A\Distrib-B\2011-04\2011-04-13_SITE-A-DISTRIB-B.log

          Every segmentation requires a different rule and a different filter.  So you will find limits to how much you can carve things up.

          I can tell you the the WLAN controllers may send you thousands of ALERTS a day.  Which you may be justified in ignore 100% of them.  Other ALERTs form routers and switches you SHOULD be acting on. I don't know if I've seen an ALERT on a WLC that was worth an email.