Best Syslog Server?
-
Is ELK a Syslog Server?
-
-
@aaronstuder said:
Is ELK a Syslog Server?
Yes, and more.
-
ELK and ELG (Graylog2) would be my favourites for self hosting. Splunk is great but super expensive beyond a trivially small use case. Logg.ly is awesome if you are going to pay for someone to host it for you.
-
I'm muddling through this myself. My week in a nutshell:
Everyone loves ELK! I should love ELK! ELK!
I hate ELK.
Graylog! It's a Splunk killer! Easy! Pretty! Graylog!
I hate Graylog.
Everyone still loves ELK! I should still love ELK! ELK?
I still hate ELK.
Icinga! Opsview! Fluentd! AlienVault/OSSIM! ELK!?
Wait. Why am I doing this? I just need syslog. Add parsing/searching/dashboards later.
I love syslog-ng!
/week
Moral of this story:
Define your needs before diving down the logging rabbit hole. As nice as ELK, etc, can be, they take a lot of work and planning to produce the polished niceness that you see on display all over the webs. I promise that writing filters, learning grok, and parsing complex non-RFC-compliant-syslog is not something that can be done in an afternoon. Instead of jumping to the end of the line, start at the beginning (solid syslog server) and add layers as needed. Lord knows every one of these tools can be weaved in with the others later.
-
What did you end up trying out?
-
But are your logs sexy?
LogInsight is also my "jam" in logs. You don't even need to learn regex...
-
@John-Nicholson said in Best Syslog Server?:
But are your logs sexy?
LogInsight is also my "jam" in logs. You don't even need to learn regex...
Awesome find. I want to play with that now. It's ELK(R) with some additional stuff on top. Very cool.
-
I had an ELK server set up. I switched to Graylog. You don't need a specific forwarder, rsyslog just works. And you can get a pre-built VM to use. Kibana is an awesome tool, but just takes so much time to learn.
-
Custom forwarders have advantages (super fast source filtering, compression and TLS support, custom meta tags, lower CPU) was my Experiance with LI.
Note, outside of maybe sumologic everyone with custom agents allows you to use legacy syslog.
-
@stacksofplates said in Best Syslog Server?:
I had an ELK server set up. I switched to Graylog. You don't need a specific forwarder, rsyslog just works. And you can get a pre-built VM to use. Kibana is an awesome tool, but just takes so much time to learn.
I prefer the agents. Much easier and more powerful.