Re: Recommendations for Syslogging software

On 4/26/05, Hodgson, Tim <Tim.Hodgson@hdfse.com> wrote:> I recently installed a 
couple of PIX firewalls and I'm looking for some good> Syslogging software to 
gather stats and raise alerts via e-mail etc….> > I've currently got a freebie 
version of the Kiwi Syslog Daemon running but> was wondering if there are 
better solutions out there. 
Assuming you are not stuck with sending your logs to a MicrosoftWindows host, 
there are a number of solutions for taking syslog feedsfrom PIX (and other 
syslog sources) and processing the events.
The first place to look is http://www.loganalysis.org/If you have a spare box 
with fast disks and somebody who can undertakethe care and feeding of a 
Unix-like OS, you might look into 
syslog-ng(http://www.balabit.com/products/syslog_ng/).
> The software does not  have to be shareware> If the best solution costs then 
> the budget is there to pay for it.
If you have more money than time and staff, you might consider theLogLogic 
appliance products (http://www.loglogic.com/).  An employerof mine almost 
deployed these, until we learned they run Linux andcannot accept a TCP feed 
from our existing syslog-ng log aggregators.

One important caveat:  take extreme care in configuring a PIX to sendsyslog 
events via TCP (the standard for syslog is UDP).  While TCPprovides reliable 
logging, the Cisco PIX implementation isintentionally designed to "fail 
closed";  if the log listener stopsaccepting events, the PIX stops passing 
traffic.
Kevin Kadow