What's the best approach to receive syslog from different network devices?

I currently have a single connector via ArcMC to receive syslog from Cisco firewalls, but the company will implement more firewalls in the future and some are from Checkpoint. We also have lots of routers and switches from different brands. The only thing in common for all those network devices is that they all speak syslog.


Is it better to setup a single syslog smart connector to receive syslog from all those different devices or to setup a connector for each kind of device, or perhaps each brand?


If I setup a single smart connector to receive syslog from a Cisco firewall and a Checkpoint firewall, would this connector be able to parse both logs at the same time? Would I need to do some tweaking in the connector settings?

  • Verified Answer

    A single syslog connector can parse all supported devices' logs. As a best practice,  you should avoid sending more than 2500 EPS to a connector. If you have too many devices in your environment, for example, 10 firewalls, 5 email gateways, etc.,  I would recommend installing separate connectors for each type or Vendor.

  • Thanks for the reply. Regarding your "2.5K EPS max per connector recommendation", what should I do if I have a single firewall that by itself outputs more than 2.5K?

    This is not my case, as ALL my firewalls output a little less than 3.5K. I'm just wondering what's the workaround. Is there an "official connectors best practices document" by Microfocus?
  • Normally I like to have separate connectors per product, even if they both speak syslog, this makes it easier to customize parsing without having the possibility that it also affects other products.

    It also ensures that one product does not bring down all other products if suddenly it starts sending too much.

    It is fully possible to install several connectors on a single server, just different syslog ports, so if you don't want/can't install multiple servers then that is also an option (please try to limit it to maybe 8 per server).

    For large installations we have a syslog load balancer connector. This should at least support up to 30-40k EPS, and supports as many connectors behind it as you want.

    For example, you can configure a syslog load balancer connector with a "Cisco Pool" and a "Checkpoint pool", and define which IP's and ports are used for each pool, then you can scale the amount of connectors behind it compared to which product generates the most EPS.

    Try to limit the EPS to each connector to max 3.5K EPS on syslog only.

  • I also recommend setting up several connectors, one for each product. Or several for each product if those send a lot of events. It also depends on the network itself... do you have a lot of segments? I wouldn´t want Syslog to pass over several firewalls for example.

    Regarding the 3.5k mark... test it yourself first. I have had customers with connectors parsing ~7.000 EPS without any issues. However that depends on the log source as well as the system hosting the connector and the multithreading/heap settings.

    Other then that... if you run into issues with the performance of your connectors, try the load balancer as Marius2 already recommended.

    Quick tip: Try to use TCP, NOT UDP! Also whenever possible I´d use TLS.

  • I don't have lots of segments, that's not really my case, I was just wondering. One syslog connector for Cisco Firewalls and another for other network devices (routers, switches, APNs etc.) will be plenty for me. Maybe a syslog for each type of network device, I will check the throughput and act accordingly.

    As a side note, what is this case about "use TCP syslog and not UDP", why? Usually I see people using syslog on UDP.

  • Well when you use UDP and unless you have a loadbalancer, whenever the Connector is down... for example when it is updated... you will LOSE events! For obvious reasons that is not acceptable for a company. When you use TCP, the source device will cache the events for a short while and resend them once the Connector is back. Of course you will have to configure the source device correctly (cache size).

    Also using UDP there is a larger chance of losing events sporadically. I´ve had customers where there was event loss when UDP events were crossing a firewall.

    Is there a reason you do not want to install several Connectors by the way? You can easily install several of those on one host just to seperate the device types. It´s not just about the throughput.

  • No particular reason, I will use multiple connectors.
Reply Children
No Data