Folks,
mailman does currently not accept this message, so I forward it to the
list. A reply follows. Should someone else also have problems sending
list mail, please let me know.
Rainer
> -----Original Message-----
> From: Stephen Malenshek [mailto:smalenshek at skyline-ats.com]
> Sent: Friday, April 25, 2008 6:05 PM
> To: rsyslog at lists.adiscon.com
> Cc: Rainer Gerhards
> Subject: FW: RSYSLOG "Best Practices" & General Questions
>
> I am currently setting up creating a managed service platform from
> various open source products out on the market and I would like to use
> your product as the standard SYSLOG replacement on all our sites. I
> have a couple of questions related to this and would like you provide
> some input on the best ways to achieve specific objectives.
>
>
>
> 1) At the present time, I have started the configuration on the
> "central" server, which will act as the central repository for all
data
> from the remote sites. I am configuring it to store all SYSLOG data
> with in the database, but I have followed the recommendations made to
> "buffer" it to a spool first. My question is this, I do not want to
> just write the information to the database, for governmental
> compliance, I need to keep a duplicate copy in "standard" log format
on
> the drive, which I will rotate and gzip daily, for long term log
> retention. I have looked around and did not find anything that
> specifically addresses this... It looked like it should able to be
done,
> but I am just not sure the best way to accomplish this.
>
> 2) At each customer site, there will be a server called a
> "collector" that will accept all SYSLOG related information for that
> site... This server will store a copy of the log files for the local
> network as a repository, but it also needs to send it to the central
> server for processing. My question is whether it will be more
> efficient to write the information directly to the database, or to
just
> send it using normal SYSLOG directives, 'I.E. *.* @{IP Address}, and
> let the server process and insert like it would local logs?
>
> 3) Within the scenario listed in question 2, how can I, 1)
preserve
> all the original IP addresses of the machines that are transmitting
> information, and 2) tag that information with a specific account code
> identifying the site that the information was sent from. Within the
> database, I have created a column called "customerid" that I would
like
> to do this with. In this, I would like to designate a name or integer
> like "1" for site A, "2" for site B, etc. The reason for this is that
> I will run into situations where multiple customers will have the same
> IP addressing scheme. I figure this could be passed from the site's
> collector as a site identifier, but I am not sure how to accomplish
> this. I think I can accomplish this on the central server, if I have
> to, with a subquery within the insert query to another table to lookup
> this value, but I am looking for a much more "elegant" method.
>
> 4) During the processing of this information, whether it is the
> logs or the database inserts, we need to be able to parse this
> information, attempt to match using defined regular expressions and
> generate an email with the information matched. I saw an example of
> this somewhere, but after looking some, not a lot, I just have not
> found it again. Would you provide me with a few examples of efficient
> ways to accomplish this...?
>
> 5) Lastly, I am going to strongly recommend to all our clients use
> the products related to SYSLOG from Adiscon for us to be able to
> process information within this environment for Windows based
machines.
> I would like to use the same table that is used for storage of the
rest
> of SYSLOG data, and I have the associated columns already built. I
> just want to make sure that what I setup now will be completely
> compatible and able to process NT Event Log information.
>
>
>
> Once again, thanks for your time and look forward to hearing your
> thoughts related to this implementation. I have used SYSLOG-NG for
> years and found that it was great in some respects, but disappointing
> being able to do storage to MySQL. You have a great product here.
>
>
>
>
>
> Stephen Malenshek
>
> Manager, Managed Services Group
>
> Skyline Advanced Technology Services
>
> Bozeman, Montana
>
> smalenshek at skyline-ats.com <mailto:smalenshek at skyline-ats.com>
>
>
>
> Phone: (406) 587-1047 x106
>
> Cell: (406) 599-9569
>
> Fax: (406) 587-1035
>
>
>
>
>
>
mailman does currently not accept this message, so I forward it to the
list. A reply follows. Should someone else also have problems sending
list mail, please let me know.
Rainer
> -----Original Message-----
> From: Stephen Malenshek [mailto:smalenshek at skyline-ats.com]
> Sent: Friday, April 25, 2008 6:05 PM
> To: rsyslog at lists.adiscon.com
> Cc: Rainer Gerhards
> Subject: FW: RSYSLOG "Best Practices" & General Questions
>
> I am currently setting up creating a managed service platform from
> various open source products out on the market and I would like to use
> your product as the standard SYSLOG replacement on all our sites. I
> have a couple of questions related to this and would like you provide
> some input on the best ways to achieve specific objectives.
>
>
>
> 1) At the present time, I have started the configuration on the
> "central" server, which will act as the central repository for all
data
> from the remote sites. I am configuring it to store all SYSLOG data
> with in the database, but I have followed the recommendations made to
> "buffer" it to a spool first. My question is this, I do not want to
> just write the information to the database, for governmental
> compliance, I need to keep a duplicate copy in "standard" log format
on
> the drive, which I will rotate and gzip daily, for long term log
> retention. I have looked around and did not find anything that
> specifically addresses this... It looked like it should able to be
done,
> but I am just not sure the best way to accomplish this.
>
> 2) At each customer site, there will be a server called a
> "collector" that will accept all SYSLOG related information for that
> site... This server will store a copy of the log files for the local
> network as a repository, but it also needs to send it to the central
> server for processing. My question is whether it will be more
> efficient to write the information directly to the database, or to
just
> send it using normal SYSLOG directives, 'I.E. *.* @{IP Address}, and
> let the server process and insert like it would local logs?
>
> 3) Within the scenario listed in question 2, how can I, 1)
preserve
> all the original IP addresses of the machines that are transmitting
> information, and 2) tag that information with a specific account code
> identifying the site that the information was sent from. Within the
> database, I have created a column called "customerid" that I would
like
> to do this with. In this, I would like to designate a name or integer
> like "1" for site A, "2" for site B, etc. The reason for this is that
> I will run into situations where multiple customers will have the same
> IP addressing scheme. I figure this could be passed from the site's
> collector as a site identifier, but I am not sure how to accomplish
> this. I think I can accomplish this on the central server, if I have
> to, with a subquery within the insert query to another table to lookup
> this value, but I am looking for a much more "elegant" method.
>
> 4) During the processing of this information, whether it is the
> logs or the database inserts, we need to be able to parse this
> information, attempt to match using defined regular expressions and
> generate an email with the information matched. I saw an example of
> this somewhere, but after looking some, not a lot, I just have not
> found it again. Would you provide me with a few examples of efficient
> ways to accomplish this...?
>
> 5) Lastly, I am going to strongly recommend to all our clients use
> the products related to SYSLOG from Adiscon for us to be able to
> process information within this environment for Windows based
machines.
> I would like to use the same table that is used for storage of the
rest
> of SYSLOG data, and I have the associated columns already built. I
> just want to make sure that what I setup now will be completely
> compatible and able to process NT Event Log information.
>
>
>
> Once again, thanks for your time and look forward to hearing your
> thoughts related to this implementation. I have used SYSLOG-NG for
> years and found that it was great in some respects, but disappointing
> being able to do storage to MySQL. You have a great product here.
>
>
>
>
>
> Stephen Malenshek
>
> Manager, Managed Services Group
>
> Skyline Advanced Technology Services
>
> Bozeman, Montana
>
> smalenshek at skyline-ats.com <mailto:smalenshek at skyline-ats.com>
>
>
>
> Phone: (406) 587-1047 x106
>
> Cell: (406) 599-9569
>
> Fax: (406) 587-1035
>
>
>
>
>
>