Folks, mailman does currently not accept this message, so I forward it to the list. A reply follows. Should someone else also have problems sending list mail, please let me know.
Rainer > -----Original Message----- > From: Stephen Malenshek [mailto:[EMAIL PROTECTED] > Sent: Friday, April 25, 2008 6:05 PM > To: rsyslog@lists.adiscon.com > Cc: Rainer Gerhards > Subject: FW: RSYSLOG "Best Practices" & General Questions > > I am currently setting up creating a managed service platform from > various open source products out on the market and I would like to use > your product as the standard SYSLOG replacement on all our sites. I > have a couple of questions related to this and would like you provide > some input on the best ways to achieve specific objectives. > > > > 1) At the present time, I have started the configuration on the > "central" server, which will act as the central repository for all data > from the remote sites. I am configuring it to store all SYSLOG data > with in the database, but I have followed the recommendations made to > "buffer" it to a spool first. My question is this, I do not want to > just write the information to the database, for governmental > compliance, I need to keep a duplicate copy in "standard" log format on > the drive, which I will rotate and gzip daily, for long term log > retention. I have looked around and did not find anything that > specifically addresses this... It looked like it should able to be done, > but I am just not sure the best way to accomplish this. > > 2) At each customer site, there will be a server called a > "collector" that will accept all SYSLOG related information for that > site... This server will store a copy of the log files for the local > network as a repository, but it also needs to send it to the central > server for processing. My question is whether it will be more > efficient to write the information directly to the database, or to just > send it using normal SYSLOG directives, 'I.E. *.* @{IP Address}, and > let the server process and insert like it would local logs? > > 3) Within the scenario listed in question 2, how can I, 1) preserve > all the original IP addresses of the machines that are transmitting > information, and 2) tag that information with a specific account code > identifying the site that the information was sent from. Within the > database, I have created a column called "customerid" that I would like > to do this with. In this, I would like to designate a name or integer > like "1" for site A, "2" for site B, etc. The reason for this is that > I will run into situations where multiple customers will have the same > IP addressing scheme. I figure this could be passed from the site's > collector as a site identifier, but I am not sure how to accomplish > this. I think I can accomplish this on the central server, if I have > to, with a subquery within the insert query to another table to lookup > this value, but I am looking for a much more "elegant" method. > > 4) During the processing of this information, whether it is the > logs or the database inserts, we need to be able to parse this > information, attempt to match using defined regular expressions and > generate an email with the information matched. I saw an example of > this somewhere, but after looking some, not a lot, I just have not > found it again. Would you provide me with a few examples of efficient > ways to accomplish this...? > > 5) Lastly, I am going to strongly recommend to all our clients use > the products related to SYSLOG from Adiscon for us to be able to > process information within this environment for Windows based machines. > I would like to use the same table that is used for storage of the rest > of SYSLOG data, and I have the associated columns already built. I > just want to make sure that what I setup now will be completely > compatible and able to process NT Event Log information. > > > > Once again, thanks for your time and look forward to hearing your > thoughts related to this implementation. I have used SYSLOG-NG for > years and found that it was great in some respects, but disappointing > being able to do storage to MySQL. You have a great product here. > > > > > > Stephen Malenshek > > Manager, Managed Services Group > > Skyline Advanced Technology Services > > Bozeman, Montana > > [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> > > > > Phone: (406) 587-1047 x106 > > Cell: (406) 599-9569 > > Fax: (406) 587-1035 > > > > > > _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog
