Storage of syslog in Zenoss

Discussion:

zenoss-dranix

2013-01-15 07:05:49 UTC

zenoss-dranix [http://community.zenoss.org/people/zenoss-dranix] created the discussion

"Storage of syslog in Zenoss"

To view the discussion, visit: http://community.zenoss.org/message/70973#70973

--------------------------------------------------------------
I am planning to setup Zenoss to also meet my syslog needs. Intend to use Zenoss as a syslog analyser. I have tried a syslog server named Octopussy and noticed that the syslog messages are save as files under "/var/lib/octopussy/logs/xxx". So i am wondering if Zenoss works on a similar concept. I have read it somewhere that Zenoss uses ZODB. So does it mean that all data that Zenoss collects are not visible or rather not saved as files?
Please advice.
Thank You.
--------------------------------------------------------------

Reply to this message by replying to this email -or- go to the discussion on Zenoss Community
[http://community.zenoss.org/message/70973#70973]

Start a new discussion in zenoss-users by email
[discussions-community-forums-zenoss--***@community.zenoss.org] -or- at Zenoss Community
[http://community.zenoss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2003]

jmp242

2013-01-15 15:10:04 UTC

Permalink

jmp242 [http://community.zenoss.org/people/jmp242] created the discussion

"Re: Storage of syslog in Zenoss"

To view the discussion, visit: http://community.zenoss.org/message/71011#71011

--------------------------------------------------------------
Zenoss doesn't store data as files. It stores event data, which syslog gets translated into, in MySQL...

--
James Pulver
ZCA Member
LEPP Computer Group
Cornell University
--------------------------------------------------------------

Reply to this message by replying to this email -or- go to the discussion on Zenoss Community
[http://community.zenoss.org/message/71011#71011]

Start a new discussion in zenoss-users by email
[discussions-community-forums-zenoss--***@community.zenoss.org] -or- at Zenoss Community
[http://community.zenoss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2003]

nilie

2013-01-15 18:19:16 UTC

Permalink

nilie [http://community.zenoss.org/people/nilie] created the discussion

"Re: Storage of syslog in Zenoss"

To view the discussion, visit: http://community.zenoss.org/message/71003#71003

--------------------------------------------------------------
We're using syslog to monitor our infrastructure instead of snmp traps and at least for us, Zenoss is one of the best tools for syslog analyzing. However, you have to consider the following:
* As James mentioned, Zenoss stores syslog messages as events together with other events it generates, in one single MySQL database. Zenoss doesn't store them in standard syslog format although you can still find all the components of the original syslog message.
* Zenoss has not been designed speciffically and can't be optimized to run as a syslog analyzer. Depending on the volume of syslog messages, you may run into performance problems sooner than it is the case for a specialized, dedicated syslog server.
* Zenoss does not offer the possibility to archive events indefinitely so if you really need to keep the messages for longer than few months, this might again affect Zenoss performance.
--------------------------------------------------------------

Reply to this message by replying to this email -or- go to the discussion on Zenoss Community
[http://community.zenoss.org/message/71003#71003]

Start a new discussion in zenoss-users by email
[discussions-community-forums-zenoss--***@community.zenoss.org] -or- at Zenoss Community
[http://community.zenoss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2003]

themactech

2013-01-15 20:10:50 UTC

Permalink

themactech [http://community.zenoss.org/people/themactech] created the discussion

"Re: Storage of syslog in Zenoss"

To view the discussion, visit: http://community.zenoss.org/message/71004#71004

--------------------------------------------------------------
You might want to look at a tool like splunk, it's a data analytics/aggragator tool.Â It allows to trigger alerts on thresholds and can also do trending/corrolation.

Some folks have already bridged it to Zenoss, so it will feed events when necessary to a Zenoss server.

Manuel
--------------------------------------------------------------

Reply to this message by replying to this email -or- go to the discussion on Zenoss Community
[http://community.zenoss.org/message/71004#71004]

Start a new discussion in zenoss-users by email
[discussions-community-forums-zenoss--***@community.zenoss.org] -or- at Zenoss Community
[http://community.zenoss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2003]

zenoss-dranix

2013-01-16 03:21:11 UTC

Permalink

zenoss-dranix [http://community.zenoss.org/people/zenoss-dranix] created the discussion

"Re: Storage of syslog in Zenoss"

To view the discussion, visit: http://community.zenoss.org/message/71020#71020

--------------------------------------------------------------
Thanks everyone for your replies...
So you were saying that the original syslog messages are still present as files, similar to how Octopussy handles syslog messages?

You also brought up a point of performance when archive events are still present. Does it mean that events that have been addressed should be deleted. So how do i maintain the collected data. For example, if i were to make comparison between last yr's data and this yr.
And also syslog messages are important for auditing purposes as well. So, if Zenoss keeps syslog messages as files, it would act as a form of data warehouse for future reference.
Please advice.
Thank You.
--------------------------------------------------------------

Reply to this message by replying to this email -or- go to the discussion on Zenoss Community
[http://community.zenoss.org/message/71020#71020]

Start a new discussion in zenoss-users by email
[discussions-community-forums-zenoss--***@community.zenoss.org] -or- at Zenoss Community
[http://community.zenoss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2003]

nilie

2013-01-16 17:14:41 UTC

Permalink

nilie [http://community.zenoss.org/people/nilie] created the discussion

"Re: Storage of syslog in Zenoss"

To view the discussion, visit: http://community.zenoss.org/message/71041#71041

--------------------------------------------------------------
No, original syslog messages are not being stored in files. They are being processed i.e. converted into events and stored into a MySQL database like all other non-syslog events. In case you want to compare las year vs. this year, you'll have to extract the info from the database but you'll have to configure Zenoss to hold event records for that long (it automatically deletes the events after a specified amount of time) with negative consequences for the performance of the system.
In my opinion, Zenoss can not meet your needs for a syslog server, especially for the auditing purposes.
--------------------------------------------------------------

Reply to this message by replying to this email -or- go to the discussion on Zenoss Community
[http://community.zenoss.org/message/71041#71041]

Start a new discussion in zenoss-users by email
[discussions-community-forums-zenoss--***@community.zenoss.org] -or- at Zenoss Community
[http://community.zenoss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2003]

jmp242

2013-01-16 20:17:06 UTC

Permalink

jmp242 [http://community.zenoss.org/people/jmp242] created the discussion

"Re: Storage of syslog in Zenoss"

To view the discussion, visit: http://community.zenoss.org/message/71048#71048

--------------------------------------------------------------
You should look at either OSSEC or syslog-ng in my opinion...

--
James Pulver
ZCA Member
LEPP Computer Group
Cornell University
--------------------------------------------------------------

Reply to this message by replying to this email -or- go to the discussion on Zenoss Community
[http://community.zenoss.org/message/71048#71048]

Start a new discussion in zenoss-users by email
[discussions-community-forums-zenoss--***@community.zenoss.org] -or- at Zenoss Community
[http://community.zenoss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2003]

zenoss-dranix

2013-01-17 05:58:47 UTC

Permalink

zenoss-dranix [http://community.zenoss.org/people/zenoss-dranix] created the discussion

"Re: Storage of syslog in Zenoss"

To view the discussion, visit: http://community.zenoss.org/message/71050#71050

--------------------------------------------------------------
Hi everyone,
Thanks for your replies.
Was playing around with Zenoss and was hoping i could also use it as a syslog collector cum analyser. But is seems like i have to use a different system fro syslog.
I am looking at OSSEC, thanks for your suggestion jmp242.
Thanks.
--------------------------------------------------------------

Reply to this message by replying to this email -or- go to the discussion on Zenoss Community
[http://community.zenoss.org/message/71050#71050]

Start a new discussion in zenoss-users by email
[discussions-community-forums-zenoss--***@community.zenoss.org] -or- at Zenoss Community
[http://community.zenoss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2003]

joanypony

2013-01-17 20:23:53 UTC

Permalink

joanypony [http://community.zenoss.org/people/joanypony] created the discussion

"Re: Storage of syslog in Zenoss"

To view the discussion, visit: http://community.zenoss.org/message/71058#71058

--------------------------------------------------------------
Hi,

I tried using Zenoss as a syslog server. There were no other devices on the zenoss install, it had only syslog messages to deal with. We had a very large volume of syslog messages and it didn't cope well. While the database only locked up once or twice, looking at events (old syslog messages), in the history became impossible as there were just too many and it took too long to load..
Joan
--------------------------------------------------------------

Reply to this message by replying to this email -or- go to the discussion on Zenoss Community
[http://community.zenoss.org/message/71058#71058]

Start a new discussion in zenoss-users by email
[discussions-community-forums-zenoss--***@community.zenoss.org] -or- at Zenoss Community
[http://community.zenoss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2003]