I have multiple devices sending logs to Logscapes built in Syslog server - this includes 4 Firewalls, 2 Email Security Gateways, 2 Web Application Firewalls and a dozen Apache Servers.
Whats the best way to ensure these device logs are optimially indexed?
I'd like tags for Firewalls, Email Security, WAFs. For the moment I've just configured seperate datasource's - Unfortunately though I don't think this is sustainable, especially if we scaled to 100-200 devices. Can anybody recommend another solution?
-- Edited by kelv1n on Friday 18th of September 2015 11:49:00 PM
I'm a little unsure about your main concern - data granularity (How do I split my data) or performance?
If you're interested in optimal indexing performance, then that's an environment architecture question and we'd need to know more about how you intend to scale and data volumes etc.
If it's data granularity, you've got a couple of tools to work with:
1. Comma Separate your data sources. So instead of a data source labelled Firewalls, have DEV,Firewalls and UAT,Firewalls or even PROD,UK,Firewalls. That way you can search over your firewalls and then cut it down to a specific group.
2. ResourceGroups. This allows you to group your source machines, use the Agents page to group them and then use those filters on the Data Sources.
3. You can also prevent some users from seeing data outside their teams remit, using the Users page. That can really improve performance and focus if it fits your use case.
Excellent, thanks again, really you bringing that up, I've already started with the commad seperate data sources (a simple, yet very nice and effective features).
I'll take a look at the resource groups, as I didn't know about them.
