Frank Fegert
07-25-2004, 02:47 AM
Hello all,
this has been discussed before, but i'd like to go over it again
to see if possibly a new solution has emerged at the horizon ;-)
I'm currently using NICs PrivateI as a syslog server for a number
of PIXen, routers and VPN 3000s. Conceptually it's a really great
product, but it has some major sticks in the spokes:
- very pricy, even with the small buisness licences
- seems to get more buggy with every new version
- tends to run into performance problems in one of my setups
(probably windows related). Thus taking a lot of time to go
through the logs
- runs only on windows (appliance not an option)
What i'm looking for is the following:
- preferably Unix/Linux based tool
- perferably database backend to handle large amounts of data
and still have good performance
- interface to search entire data, plus interface like "Alert
Monitor" in PrivateI to see incidents since the last visit
- facility to filter the data displayed in the "Alert Monitor"
- less pricy, since i want to add more devices/systems to the
central logging facility
Sadly, my research didn't yield much besides PrivatI. Creating a
custum project/software from scratch seems to be a rather long
way to go. Recently a DBA colleague showed me HTMLDB from Oracle,
which could be used to rapidly create a UI. So my idea was as
follows:
Device (PIX, IOS, VPN, ...)
|
|--> Syslog (Unix)
|
|--> Text files
|
|--> Parser (c or perl)
|
|--> Oracle DB <--|
|
Browser ---> Apache/HTMLDB <--|
My concerns are with the syslog and the parser part. Is the sys-
log daemon able to deal with large logging rates? Currently we
have 200 events/s with PrivateI and it's beginning to drop a
view events during high load times (due to license restrictions
that is).
Has anyone experience in the parser part? Perl seems to be the
choice in regard of its string manipulation strengths, but as
above i have performance concerns.
Any comments on this are appreciated!
Regards,
Frank
this has been discussed before, but i'd like to go over it again
to see if possibly a new solution has emerged at the horizon ;-)
I'm currently using NICs PrivateI as a syslog server for a number
of PIXen, routers and VPN 3000s. Conceptually it's a really great
product, but it has some major sticks in the spokes:
- very pricy, even with the small buisness licences
- seems to get more buggy with every new version
- tends to run into performance problems in one of my setups
(probably windows related). Thus taking a lot of time to go
through the logs
- runs only on windows (appliance not an option)
What i'm looking for is the following:
- preferably Unix/Linux based tool
- perferably database backend to handle large amounts of data
and still have good performance
- interface to search entire data, plus interface like "Alert
Monitor" in PrivateI to see incidents since the last visit
- facility to filter the data displayed in the "Alert Monitor"
- less pricy, since i want to add more devices/systems to the
central logging facility
Sadly, my research didn't yield much besides PrivatI. Creating a
custum project/software from scratch seems to be a rather long
way to go. Recently a DBA colleague showed me HTMLDB from Oracle,
which could be used to rapidly create a UI. So my idea was as
follows:
Device (PIX, IOS, VPN, ...)
|
|--> Syslog (Unix)
|
|--> Text files
|
|--> Parser (c or perl)
|
|--> Oracle DB <--|
|
Browser ---> Apache/HTMLDB <--|
My concerns are with the syslog and the parser part. Is the sys-
log daemon able to deal with large logging rates? Currently we
have 200 events/s with PrivateI and it's beginning to drop a
view events during high load times (due to license restrictions
that is).
Has anyone experience in the parser part? Perl seems to be the
choice in regard of its string manipulation strengths, but as
above i have performance concerns.
Any comments on this are appreciated!
Regards,
Frank