Highlighted
Trusted Contributor.
Trusted Contributor.
491 views

What's the best approach to receive syslog from different network devices?

Jump to solution

I currently have a single connector via ArcMC to receive syslog from Cisco firewalls, but the company will implement more firewalls in the future and some are from Checkpoint. We also have lots of routers and switches from different brands. The only thing in common for all those network devices is that they all speak syslog.

 

Is it better to setup a single syslog smart connector to receive syslog from all those different devices or to setup a connector for each kind of device, or perhaps each brand?

 

If I setup a single smart connector to receive syslog from a Cisco firewall and a Checkpoint firewall, would this connector be able to parse both logs at the same time? Would I need to do some tweaking in the connector settings?

0 Likes
1 Solution

Accepted Solutions
Highlighted
Knowledge Partner
Knowledge Partner

Re: What's the best approach to receive syslog from different network devices?

Jump to solution

A single syslog connector can parse all supported devices' logs. As a best practice,  you should avoid sending more than 2500 EPS to a connector. If you have too many devices in your environment, for example, 10 firewalls, 5 email gateways, etc.,  I would recommend installing separate connectors for each type or Vendor.

------------------------------------
Please use the Like button below, if you find this post useful or mark it as an accepted solution if it resolves your issue.

View solution in original post

7 Replies
Highlighted
Knowledge Partner
Knowledge Partner

Re: What's the best approach to receive syslog from different network devices?

Jump to solution

A single syslog connector can parse all supported devices' logs. As a best practice,  you should avoid sending more than 2500 EPS to a connector. If you have too many devices in your environment, for example, 10 firewalls, 5 email gateways, etc.,  I would recommend installing separate connectors for each type or Vendor.

------------------------------------
Please use the Like button below, if you find this post useful or mark it as an accepted solution if it resolves your issue.

View solution in original post

Highlighted
Trusted Contributor.
Trusted Contributor.

Re: What's the best approach to receive syslog from different network devices?

Jump to solution
Thanks for the reply. Regarding your "2.5K EPS max per connector recommendation", what should I do if I have a single firewall that by itself outputs more than 2.5K?

This is not my case, as ALL my firewalls output a little less than 3.5K. I'm just wondering what's the workaround. Is there an "official connectors best practices document" by Microfocus?
Highlighted
Micro Focus Expert
Micro Focus Expert

Re: What's the best approach to receive syslog from different network devices?

Jump to solution

Normally I like to have separate connectors per product, even if they both speak syslog, this makes it easier to customize parsing without having the possibility that it also affects other products.

It also ensures that one product does not bring down all other products if suddenly it starts sending too much.

It is fully possible to install several connectors on a single server, just different syslog ports, so if you don't want/can't install multiple servers then that is also an option (please try to limit it to maybe 8 per server).

For large installations we have a syslog load balancer connector. This should at least support up to 30-40k EPS, and supports as many connectors behind it as you want.

For example, you can configure a syslog load balancer connector with a "Cisco Pool" and a "Checkpoint pool", and define which IP's and ports are used for each pool, then you can scale the amount of connectors behind it compared to which product generates the most EPS.

Try to limit the EPS to each connector to max 3.5K EPS on syslog only.

-----------------------------------------------------------------------------------------
All topics and replies made is based on my personal opinion, viewpoint and experience, it does not represent the viewpoints of MicroFocus.
All replies is based on best effort, and can not be taken as official support replies.
//Marius
Highlighted
Knowledge Partner Knowledge Partner
Knowledge Partner

Re: What's the best approach to receive syslog from different network devices?

Jump to solution

I also recommend setting up several connectors, one for each product. Or several for each product if those send a lot of events. It also depends on the network itself... do you have a lot of segments? I wouldn´t want Syslog to pass over several firewalls for example.

Regarding the 3.5k mark... test it yourself first. I have had customers with connectors parsing ~7.000 EPS without any issues. However that depends on the log source as well as the system hosting the connector and the multithreading/heap settings.

Other then that... if you run into issues with the performance of your connectors, try the load balancer as Marius2 already recommended.

Quick tip: Try to use TCP, NOT UDP! Also whenever possible I´d use TLS.

0 Likes
Trusted Contributor.
Trusted Contributor.

Re: What's the best approach to receive syslog from different network devices?

Jump to solution

I don't have lots of segments, that's not really my case, I was just wondering. One syslog connector for Cisco Firewalls and another for other network devices (routers, switches, APNs etc.) will be plenty for me. Maybe a syslog for each type of network device, I will check the throughput and act accordingly.

As a side note, what is this case about "use TCP syslog and not UDP", why? Usually I see people using syslog on UDP.

Highlighted
Knowledge Partner Knowledge Partner
Knowledge Partner

Re: What's the best approach to receive syslog from different network devices?

Jump to solution

Well when you use UDP and unless you have a loadbalancer, whenever the Connector is down... for example when it is updated... you will LOSE events! For obvious reasons that is not acceptable for a company. When you use TCP, the source device will cache the events for a short while and resend them once the Connector is back. Of course you will have to configure the source device correctly (cache size).

Also using UDP there is a larger chance of losing events sporadically. I´ve had customers where there was event loss when UDP events were crossing a firewall.

Is there a reason you do not want to install several Connectors by the way? You can easily install several of those on one host just to seperate the device types. It´s not just about the throughput.

Highlighted
Trusted Contributor.
Trusted Contributor.

Re: What's the best approach to receive syslog from different network devices?

Jump to solution
No particular reason, I will use multiple connectors.
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.