Jason,
I appreciate you taking the time to look at the guide and respond. (some
of this will be not specific to rsyslog, sorry). I plan on documenting
the agent setup on the endpoints and the OSSEC server setup. I want to
verify my assumptions about how everything will work, prior to posting
anything regarding the endpoints and OSSEC. I might be changing out some
graphics and editing out a few lines of text if it doesn't. Besides
that, there will be sections on tuning ES nodes, securing ES, GL, and
rsyslog nodes among other things.
I did find a suitable Windows agent for shipping logs (I have settled on
Datagram's syslogagent http://www.syslogserver.com/syslogagent.html). In
the initial setup of nxlog the log output was not very pretty. It was
very hard to read. It seemed like there would be a lot of tweaking to
get legible output from server 2008 and above (I may try again when more
time presents itself). I also tried rsyslog Windows agent, which worked
good. We may come back to it after some more testing of syslog agent.
The design always centered around using elasticsearch as the noSQL
backend and rsyslog for the log repository. There are a couple of things
that lead me to build the EGL stack instead of the ELK stack; Graylog2
offers LDAP integration and user management and Kibana doesn't (that was
the main thing). I understand there is a product called Shield, which
aims to fill that void, but Shield will need some time to mature I think
(I could be wrong. I am making an assumption based off of its v1.0 status).
Logstash seems pretty versatile but I found rsyslog has the ability to
write directly to elasticsearch using the omelasticsearch plugin (it
worked great in my testing). Honestly, I am still wrapping my head
around everything but if rsyslog can write and parse logs then logstash
seems redundant. I cannot say where rsyslog's capabilities diverge from
logstash since I have not done extensive testing; there maybe a reason
to use logstash and rsyslog but that use case is yet to present itself
to me.
The ELK stack definitely wins the easy setup award. setting up graylog2
was a lot more work. I had a single server ELK setup done in about 30
minutes (not a "production" setup but usable). It took an entire night
and then some to work through setting up graylog2 with all the extra
dependencies. It was also not clear as to how GL works with
elasticsearch. I now know GL2 sets itself up as another ES node. I don't
want to go on too much more because it is not all specific to rsyslog
but I would be interested in working on some documentation for logging
infrastructure. I can't write C so this is a small way I can contribute.
Regards,
Brandon
On 02/11/2015 07:34 PM, jasons wrote:
Brandon,
This looks like an awesome logging guide! Having all the command examples
can really cut down on time figuring each step out.
I'm really interested in why you choose this design. For example, why did
you opt not to use logstash and kibana which seem like popular choices, and
go for greylog instead? Also, how did you setup your log collectors or
agents? I didn't see much about installing the ossec agents but a lot on
rsyslog setup. Are you able to get the same kind of information without the
ossec agents?
I'd love to see more supporting docs talking about what each of these
technologies are for and why someone would use one versus another. Let me
know if you're interested in working together on this.
Thanks,
Jason
--
View this message in context:
http://rsyslog-users.1305293.n2.nabble.com/Rsyslog-Best-Practices-tp7587561p7587711.html
Sent from the rsyslog-users mailing list archive at Nabble.com.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
