Re: Syslog Server for ESX

meistermn · ‎03-12-2008

Which Syslog Server has realbenefits?

1.) Splunk

2.) Fedora

3.) Free Virtual Appliance

Which others free and commcerial syslog products are usefull for easy log file analysis?

matuscak · ‎03-12-2008

Fedora out of the box gives you a solid syslog server, but not all that much in terms of analysis or reporting. Fedora has Logwatch, but I don't think Logwatch knows anything about analyzing ESX syslog out of the box. In the little bit that I've looked at rolling your own Logwatch stuff, it didnt seem to be all that easy. Of course, if you just want to collect the data and use grep when you need to, you may get everything you want out of Fedora for a very low cost.

If your'e a Windows shop, you might want to take a look at Kiwi Syslog. http://www.kiwisyslog.com/kiwi-syslog-daemon-overview/

In addition to just logging stuff, it has some fairly neat tools to post process the data.

Texiwill · ‎03-12-2008

Hello,

My book goes into detail on how to configure logwatch, there is not that much that is needed and it works quite well. You will have to monitor other logfiles than the default and ignore quite a few things, but it is pretty straightforward to setup.

Best regards,

Edward L. Haletky

VMware Communities User Moderator

====

Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education. As well as the Virtualization Wiki at http://www.astroarch.com/wiki/index.php/Virtualization

--
Edward L. Haletky
vExpert XIV: 2009-2023,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill

sshelston · ‎03-12-2009

Splunk all the way.

Check out this easy how-to: http://www.splunk.com/base/Community:VMwareESXSyslog

And Splunk is free if you index less than 500MB/day. Check it out! It rocks!

eoporto · ‎03-12-2009

I will second Splunk. It can collect syslog data just fine like other sysloggers, but its ability to index logs for easy searching and linking up with other distributed Splunk servers is tops.

Beware of he who would deny you access to information, for in his heart, he dreams himself your master.

P.S : If you think that the answer is helpful please consider rewarding points.

Beware of he who would deny you access to information, for in his heart, he dreams himself your master. P.S : If you think that the answer is helpful please consider rewarding points.

Texiwill · ‎03-13-2009

Hello,

Besides Splunk there is also Snare.

Best regards,
Edward L. Haletky
VMware Communities User Moderator, VMware vExpert 2009
====
Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education.
Blue Gears and SearchVMware Pro Blogs -- Top Virtualization Security Links -- Virtualization Security Round Table Podcast

--
Edward L. Haletky
vExpert XIV: 2009-2023,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill

depping · ‎03-13-2009

I hope VIMA will be more advanced in syslogging in the future. I did a feature request, which in short should make all logs easily searchable on vima, color coded etc. I don't know what the status is unfortunately.

Duncan

VMware Communities User Moderator

-

Blogging:

Twitter:

If you find this information useful, please award points for "correct" or "helpful".

sshelston · ‎03-13-2009

Unfortunately Snare needs agents and adapters. It won't work with any data.

Splunk on the other hand doesn't normalize the data, it doesn't have a database with a schema to try and jam data into. It indexes anything and everything without knowing the data format ahead of time. Even if the format changes over time it will keep indexing. The beauty of it is that you can then apply "search time" extractions if needed to create dynamic key/value pairs.

Even indexing Windows event logs is much more straight forward. You can index local event logs or use WMI to retrieve them. Even use WMI to get to all perfmon data.

RobMokkink · ‎03-13-2009

Nworks can also work as a syslog collector. In combination with SCOM or HP Openview you get one solution for all your monitoring.

oreeh · ‎03-13-2009

Have a look at rsyslog and phplogcon

meistermn · ‎02-06-2011

Comparision of enterprise syslog server

http://www.infoworld.com/d/data-explosion/infoworld-review-meeting-the-network-security-and-complian...

Any others on the market ?

tejas201110141 · ‎09-07-2011

Installing a VMware ESXi Syslog Collector

All

Syslog Server for ESX