[unisog] reporting on a central syslog server

Bill Martin bmartin at luc.edu
Wed Apr 6 13:40:22 GMT 2005

After spending a great deal of time working with syslog, or log analysis in general, what I can tell you from experience is that SWATCH is a nice tool for either parsing down the logs to retatin only required information, and for monitoring the logs near real time (multiple consoles with seperate filters), logwatch is not a bad deal if nightly reports and generation, but this is mostly post activity.

My personal preference is to use both of these in addition to a variety of home rolled scripts and Perl code.

Your syslog needs are going to as unique as your networks and hosts.  I personally prefer parsing out only what we know to be good and evaluating the rest

Good luck
-Bill Martin-
Sr. Systems Analyst
Loyola University Chicago

-Bill Martin-
Sr. Systems Analyst
Loyola University Chicago
bmartin at luc.edu
>>> michael.holstein at csuohio.edu 04/04/05 8:08 AM >>>
Before I get out my O'Riley books and re-invent the wheel, what are 
folks out there using to report against a central syslog environment 
with Syslog-NG doing the logging from multiple UNIX systems of various 
type (mostly Solaris, a few others) as well as Windows Server logs and 
PIX firewall info.

We're talking 6-10gb per 24 hours, uncompressed.

If you wish, email off-list and I'll summarize in a few days.


Michael Holstein CISSP GCIA
Cleveland State University
unisog mailing list
unisog at lists.sans.org

More information about the unisog mailing list