Syslog Collection

By timadmin in Networking, Security Monitoring 0 Comment

Lately I’ve been thinking about ways to collect syslog data from network devices (especially Cisco and pfSense). Traditionally I’ve used commercial solutions, but would really like to have a simple open source solution to supply my clients early in a network consulting engagement. This post documents the search, and hopefully ends with a Preferred Solution.

A long time ago I discovered a tool called Logstash (https://en.wikipedia.org/wiki/Elasticsearch) which sounds like it was made for the job. I may always love the logo! It turns out that Logstash is a log-parsing engine, and feeds its data into an Elastic database which uses Kibana for presentation. It looks like setting this up requires many servers and is way bigger and complex than I really want.

Next up is a tool called syslog-ng (https://www.syslog-ng.com/). It looks like a powerful tool, but the open source version includes only command line support. Most of my clients are more comfortable with graphical user interfaces (aka GUIs), so I’d like to expose syslog data to them through a GUI even if I manage it using the command line. Searching for an accompanying tool let me to an interesting option: Logzilla (https://www.syslog-ng.com/community/b/blog/posts/web-interfaces-for-your-syslog-server-an-overview/). According to the post “Logzilla focuses on logs from Cisco devices” – a perfect fit!

Logzilla is another open source solution (https://www.logzilla.net/). They’re marketing it as Network Event Orchestration (NEO). The NEO engine can be used at no cost for less than one million events per day. It runs in a docker container and has the following system requirements:

  • Docker version 18+
  • 8 CPU cores
  • 8 GB RAM
  • 1000 Disk IOPs

Logzilla makes a VM image available: https://logzilla.sh/LogZilla-NEO.ova. It is a sizeable download, but makes for an easy install.

What if I want to run NEO on a FreeBSD system? Then I’d need to install Docker to FreeBSD (which is broken today), as detailed here: https://wiki.freebsd.org/Docker. Then it looks like I would need to install the application using the following command: curl -fsSL https://logzilla.sh |bash.