Highlighted
Absent Member.
Absent Member.
405 views

Autoroute Event Source


Hi all,

how can I autoroute the new registered event source server to oneof my
two! Cisco collector?
I like to select all Routers with IP A/24 to Cisco Collector A, the rest
of all to Cisco Collector B.
Which filter is where to implement?

Torsten


--
tfechner
------------------------------------------------------------------------
tfechner's Profile: https://forums.netiq.com/member.php?userid=8929
View this thread: https://forums.netiq.com/showthread.php?t=55486

0 Likes
7 Replies
Highlighted
Knowledge Partner
Knowledge Partner

Re: Autoroute Event Source

On 03/07/2016 06:04 AM, tfechner wrote:
>
> Hi all,
>
> how can I autoroute the new registered event source server to oneof my
> two! Cisco collector?


Cisco is a company, so presumably you have a collector for one of their
products. Care to share which? Beyond which specific one, could you also
share a version (in case you are just dealing with Switch and Router)?

> I like to select all Routers with IP A/24 to Cisco Collector A, the rest
> of all to Cisco Collector B.


The Cisco Switch and Router collector uses syslog normally, so I normally
setup one collector to use the syslog connector on one port, and another
with the connector on another port, all linked appropriately within Event
Source Management (ESM). The result is that anything connecting to one
socket is then automatically sent to the collector linked to the connector
which is associated with that listening socket.

> Which filter is where to implement?


Have you tried creating the event source nodes ahead of time?

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...
0 Likes
Highlighted
Absent Member.
Absent Member.

Re: Autoroute Event Source


Hi ab,

I use the Cisco Switch and Router Collector same as you fro the web
site.
My setup is almost the same as yours: 2 ports for our cisco equipment
but using two separate "Cisco Switch and Router" Collectors. Why? To
have different alerts rules based on the collector and to share the
load.
The auto routing for cisco syslogs is only done if the connector
receives a "syslog-5-conf" message, normal up/down mesages do not
trigger this mechanism.
So this event source server is auto-created in the "NetIQ Universal
Event" collector.
To distinguish between the two kinds of switches I would like to use the
IP subnet.


--
tfechner
------------------------------------------------------------------------
tfechner's Profile: https://forums.netiq.com/member.php?userid=8929
View this thread: https://forums.netiq.com/showthread.php?t=55486

0 Likes
Highlighted
Absent Member.
Absent Member.

Re: Autoroute Event Source


tfechner;265815 Wrote:
> Hi ab,
>
> I use the Cisco Switch and Router Collector same as you fro the web
> site.
> My setup is almost the same as yours: 2 ports for our cisco equipment
> but using two separate "Cisco Switch and Router" Collectors. Why? To
> have different alerts rules based on the collector and to share the
> load.
> The auto routing for cisco syslogs is only done if the connector
> receives a "syslog-5-conf" message, normal up/down mesages do not
> trigger this mechanism.
> So this event source server is auto-created in the "NetIQ Universal
> Event" collector.
> To distinguish between the two kinds of switches I would like to use the
> IP subnet.


I would suggest implementing this slightly differently -


- Do the alert rules based on subnet rather than on collector. That
gives you the flexibility later to adjust load/etc however you need to
without adapting correlation rules. This becomes more important over
the next few years as Sentinel transitions to an elastic scale
infrastructure, where at some point we might not have a lot of these
custom instances to balance load like we do.
- You can actually load balance off of a single event source server
by creating two collector instances and manually migrating the event
sources to the second (or third, or fourth) instance. The setup you
and Aaron are talking about is definitely viable, but you pay the cost
of two ESS's and extra CPU contention (unless you have CPU cores to
burn).


Does this approach seem viable? If so let me know, I'm curious myself
where it works and where it falls flat.


--
brandon.langley
------------------------------------------------------------------------
brandon.langley's Profile: https://forums.netiq.com/member.php?userid=350
View this thread: https://forums.netiq.com/showthread.php?t=55486

0 Likes
Highlighted
Absent Member.
Absent Member.

Re: Autoroute Event Source

We use this approach for a few years now and it works fine to spread the load over multiple cores.
One thing you have to keep in mind is that new event sources are created in 1 collector and it isn't necessarily the first one.
So look where new event sources are created and move the event sources to the other(s) to spread the load.
I would take the 'heavy load' ones first because you can move only one at a time.

Hope this helps,
Anco
0 Likes
Highlighted
Absent Member.
Absent Member.

Re: Autoroute Event Source


mh.. a little bit confusing me:
two ESS? this means 2 udp ports. we have many UDP ports for syslogs fro
different departments for user access management.

the orginal problem is - a picture might help - this:


Code:
--------------------

RCM-> Cisco Collector1
ConnectorUDP 514
Cisco Collector
ConnectorUDP 514
ConnectorUDP 515
NetIQ-Universal Collector
ConnectorUDP 514
ConnectorUDP 515
ConnectorUDP 516
ConnectorUDP 517
....
Netscaler Collector ....
....

--------------------


As soon as a new syslog is received it is matched agains all Collectors
and if no on matches the Universal Collector will be used (as long as no
conf-5-syslog has been seen)
I like to autoroute this new event server to Cisco Coll2.
Or - better way - If I choose in the web GUI-> Collection ->Event
Sources the service to be moved and adjust the collector through the
drop down menu - Sentinel chooses a Collector (mostly the first one I
created). But in this case a filter should be used to autoroute this
movement to the correct collector based on the subnet.


--
tfechner
------------------------------------------------------------------------
tfechner's Profile: https://forums.netiq.com/member.php?userid=8929
View this thread: https://forums.netiq.com/showthread.php?t=55486

0 Likes
Highlighted
Knowledge Partner
Knowledge Partner

Re: Autoroute Event Source

On 03/09/2016 03:04 AM, tfechner wrote:
>
> mh.. a little bit confusing me:
> two ESS? this means 2 udp ports. we have many UDP ports for syslogs fro


I do not mean to fork this thread, but I have to ask: why are you using
UDP? By definition's it is unreliable, meaning that it's worthless for
anything related to compliance/legal, and should not be trusted to
auditing (logging is another story, but logging is nice to have, while
auditing is often critical or required by the business, government, etc.).

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...
0 Likes
Highlighted
Absent Member.
Absent Member.

Re: Autoroute Event Source


some systems do not boot up if the logging system is not available at
the time the tcp connection should be established. In the beginning the
sentinel system here was very instable.
next most systems do not support syslog with tcp.


--
tfechner
------------------------------------------------------------------------
tfechner's Profile: https://forums.netiq.com/member.php?userid=8929
View this thread: https://forums.netiq.com/showthread.php?t=55486

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.