improving signal to noise ratio from centralized network syslogs

Jippen cheetahmorph at
Sun Feb 4 09:07:45 UTC 2018

I really recommend setting up fluentd, and then routing logging from there
- it makes it very easy to keep auditor-appeasing logs, while also having
important stuff sending pages. Log aggregation, organization, and search is
a hard problem, other people have already done it and provided it as a
service, and chances are its NOT a core competency or secret sauce at your

Once you get your logs in one routing system, you can do a lot with them,
but stop rolling your own. This is a prime area for most companies to buy
something that works better, for less than the cost of developing in house.
And if you run your own aggregation layer - then you can easily try out a
bunch of different systems and add/remove them easily. :)

Also, you may want to see one level of logs, but your auditors might wanna
see another, and your engineers/sec team might wanna do some analytics on
them. Being able to provide a solution for everyone who needs network logs
at whatever detail level they ask for will make you popular at your

On Sun, Feb 4, 2018 at 12:21 AM, Tarko Tikan <tarko at> wrote:

> hey,
> This is done with the 'logging facility'
>> command on the devices:
>> After defining your syslog server's IP
>> address and the level of messaging you want
>> (I set it to debug because I want to see
>> everything):
>> on the routers: logging facility local0
>> on the switches:  logging facility local1
> Alternative, and more universal, way to do it is to use multiple IPs for
> syslog server. Then configure correct syslog server IP on the device.
> syslog-ng and others can all do filtering to different destinations based
> on the IP where message was received.
> --
> tarko

More information about the NANOG mailing list