Which Syslog events to filter

[snootalope]

Hello

For those of you that run a syslog server, you probably know that syslogs can grow extremely fast right?..

Well, I'm trying to determine which events to filter out so the logs are much easier to evaluate.

At the moment, I have my syslog level set at "Warnings" What level does everyone else use? Do you filter events? Do you have a certain solution for viewing/serching/dividing the important events from the not so important events?

I see a million "Deny ICMP echo request" logs and other not so crucial events. But the logs can be HUGE and take FOREVER to get through..

just looking for advice, opinions, or anyone elses methods.

thanks for sharing!!
-snooter

 

[KiscoKid]

What logging level I set a device to really depends on what kind of messages I'm interested in seeing so it really varies.

That said, it sounds like you need some kind of Syslog Manager to help you scythe through a lot of the repetitive messages to get to the stuff you are interested. One with perhaps an ODBC Database connection would be nice too for quick search and retrieval functions. Try Googling 'Syslog Manager' or something similar - I'm sure you'll find something that may help.

 

[snootalope]

Thanks man! I went out and got the Adventnet Syslog Server. Got it all setup, looks like it should work pretty slick..

I got an issue with it though that I can't figure out how to get rid of.. According to the console log on my pix, the internal server I installed the syslog server on is trying to access the pix via UDP 137 for it's updates/logs. Like so:

710003: UDP access denied by ACL from 10.10.1.12/137 to inside:10.10.10.254/137

So, i'm trying to figure out what management service would use UDP and port 137??? I thought that was a windows name service.. Anyway, got any ideas? I've enabled HTTP, SSH, and SNMP like Cisco's KB says..course, didn't help.

 

[snootalope]

oh duh, nevermind. I download the EventLog manager.. as in Windows Event log. oops!