Logscape Support

Members Login
Username 
 
Password 
    Remember Me  
Post Info TOPIC: Couple of questions about Syslog and splitting devices..


Member

Status: Offline
Posts: 16
Date:
Couple of questions about Syslog and splitting devices..
Permalink  
 


H

I have multiple devices sending logs to Logscapes built in Syslog server - this includes 4 Firewalls, 2 Email Security Gateways, 2 Web Application Firewalls and a dozen Apache Servers.

Whats the best way to ensure these device logs are optimially indexed?

I'd like tags for Firewalls, Email Security, WAFs. For the moment I've just configured seperate datasource's - Unfortunately though I don't think this is sustainable, especially if we scaled to 100-200 devices. Can anybody recommend another solution?

 



-- Edited by kelv1n on Friday 18th of September 2015 11:49:00 PM

__________________


Veteran Member

Status: Offline
Posts: 41
Date:
Permalink  
 

I'm a little unsure about your main concern - data granularity (How do I split my data) or performance?

If you're interested in optimal indexing performance, then that's an environment architecture question and we'd need to know more about how you intend to scale and data volumes etc.

If it's data granularity, you've got a couple of tools to work with:

1. Comma Separate your data sources. So instead of a data source labelled Firewalls, have DEV,Firewalls and UAT,Firewalls or even PROD,UK,Firewalls. That way you can search over your firewalls and then cut it down to a specific group.
2. ResourceGroups. This allows you to group your source machines, use the Agents page to group them and then use those filters on the Data Sources.
3. You can also prevent some users from seeing data outside their teams remit, using the Users page. That can really improve performance and focus if it fits your use case.


__________________

Excelian - GitHub



Member

Status: Offline
Posts: 16
Date:
Permalink  
 

Excellent, thanks again, really you bringing that up, I've already started with the commad seperate data sources (a simple, yet very nice and effective features).

I'll take a look at the resource groups, as I didn't know about them.

__________________
Page 1 of 1  sorted by
 
Quick Reply

Please log in to post quick replies.



Create your own FREE Forum
Report Abuse
Powered by ActiveBoard