|
Firewall Wizards
mailing list archives
Re: syslog and network management
From: david () lang hm
Date: Thu, 21 Feb 2008 17:19:58 -0800 (PST)
On Wed, 20 Feb 2008, Darden, Patrick S. wrote:
3. Performance-wise, is there anything special needed? Not really.
It depends on the size of the network, number of devices, how much
detail you are recording, etc. What you describe is a good basis for
starting. Proably the three best things you could do would be: dual
core cpu (any decent ghz), a great NIC (or two, lots of udp bursts from
syslog), and lots of storage (you would want to keep at least 1 year in
local drive space).
if you end up doing much searching through your logs you can end up eating
a LOT more CPU then you imagine, especially as you correlate things and
end up searching for more related items at a time.
I've also found that it's faster to gzip the logs as you rotate them and
search through the compressed logs then to search through the same volume
of logs uncompressed.
what I do on my very busy servers is to put one high-rpm SCSI drive and
one (or more) large SATA drives in the box. I have syslog write to the
SCSI drive and then when I rotate the logs I save them to the slow, but
cheap SATA drive.
David Lang
_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
 By Date 
By Thread
Current thread:
|
Intro
