<div dir="auto">We're currently using syslog-ng and are moving away from it as the project hasn't been updated in years (obscurity is not security). We're collecting with rsyslog and sending to Splunk for search and visualization.<div dir="auto"><br></div><div dir="auto">Right now we're only testing with rsyslog and only have it configured on a single host. We're building out a new DC and are going to setup rsyslog as primary.</div><div dir="auto"><br></div><div dir="auto">Im going to ask our ITSEC about the data points we're collecting and I'll let the group know what I find.<br><div dir="auto"><br><div data-smartmail="gmail_signature" dir="auto">Thanks,<br>Alexander.<br><br>Sent from my Samsung Galaxy S8+</div></div></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Dec 12, 2018 20:56, "Amit Nepal" <<a href="mailto:amit@amitnepal.com">amit@amitnepal.com</a>> wrote:<br type="attribution"><blockquote class="quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF">
<p>I suggest looking into syslog-ng for centralized log server.
Clients can use rsyslog for unix and nxlog for windows. Syslog-ng
is scalable, high speed and provides a lot of features for
parsing, alerting, co-relating etc. You can Use Syslog-ng for
central log collection, send it to elasticsearch , analyze with
Kibana and visualize with grafana. I have been using all this on a
VM with 4G of RAM and 2 Cores of VCPU and seems to be working
okay. 15 servers including web and mail servers are sending logs
to the Log server. Additionally, I am also using wazuh for
alerting and sending data to elastic search as well. I believe,
the resource requirement will depend on the EPS rather than number
of hosts. <br>
</p>
<p>Thank You !<br>
</p>
<pre class="m_-6531421801677566766moz-signature" cols="72">Amit K Nepal
(OSCP, CISM, CISSP, RHCE, CCENT, C|EH, C|HFI, GIAC ISO 27000 Specialist)
</pre><div class="elided-text">
<div class="m_-6531421801677566766moz-cite-prefix">On 12/12/2018 2:09 PM, Snyder,
Alexander J wrote:<br>
</div>
</div><blockquote type="cite"><div class="elided-text">
<div dir="auto">Looking for suggestions on what kind of physical
resources would suggested to building a central logging server
for an enterprise company.
<div dir="auto"><br>
</div>
<div dir="auto">rsyslog is new for the company, so we're looking
to "do it right" from the ground up.</div>
<div dir="auto"><br>
</div>
<div dir="auto">How many hosts should be needed to log
networking and storage appliances?</div>
<div dir="auto"><br>
</div>
<div dir="auto">Advice on memory, CPU, and disk are requested.
Will be running CentOS7.<br>
<br>
<div data-smartmail="gmail_signature" dir="auto">Thanks,<br>
Alexander.<br>
<br>
Sent from my Samsung Galaxy S8+</div>
</div>
</div>
<br>
<fieldset class="m_-6531421801677566766mimeAttachmentHeader"></fieldset>
</div><div class="quoted-text"><pre class="m_-6531421801677566766moz-quote-pre">---------------------------------------------------
PLUG-discuss mailing list - <a class="m_-6531421801677566766moz-txt-link-abbreviated" href="mailto:PLUG-discuss@lists.phxlinux.org" target="_blank" rel="noreferrer">PLUG-discuss@lists.phxlinux.org</a>
To subscribe, unsubscribe, or to change your mail settings:
<a class="m_-6531421801677566766moz-txt-link-freetext" href="https://lists.phxlinux.org/mailman/listinfo/plug-discuss" target="_blank" rel="noreferrer">https://lists.phxlinux.org/mailman/listinfo/plug-discuss</a></pre>
</div></blockquote>
</div><div class="elided-text">
---------------------------------------------------<br>
PLUG-discuss mailing list - <a href="mailto:PLUG-discuss@lists.phxlinux.org" target="_blank" rel="noreferrer">PLUG-discuss@lists.phxlinux.org</a><br>
To subscribe, unsubscribe, or to change your mail settings:<br>
<a href="https://lists.phxlinux.org/mailman/listinfo/plug-discuss" rel="noreferrer noreferrer" target="_blank">https://lists.phxlinux.org/mailman/listinfo/plug-discuss</a></div></blockquote></div><br></div>