Logging buffered or no logging buffered

hartija · ‎04-27-2006

We have a debate going on in our office about buffering logs. We are using CW as our syslog server for a network with approx. 450 Cisco devices (switches, routers, APs, firewalls, etc.). The debate has to do with whether we should be buffering logs.

Some techs in the group say that it is recommended to "no logging buffered" set if you are sended logs to a syslog server. Others point out that this can be an issue if you are at a downed site and/or don't have access to CW. What is the recommendation for buffering logs? I don't see an issue with both buffering and sending to syslog server. Any advice?

yjdabear · ‎04-27-2006

Syslogging should ideally go to more than one server. Cisco devices sometimes generate syslogs before they boot up fully, so maintaining logging buffer can have unique values, such as what I just ran into recently with SYS-2-PS_FAIL: http://forums.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Network%20Infrastructure&topic=Network%20Management&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.1ddb12ee

Jason Davis · ‎04-27-2006

Logging bufferend and logging to 2 syslog servers is generally considered a leading practice with my team. Logging buffered gets you some 'fallback' in case you need the logs before a device has fully rebooted and reestablished routes. It can also be the source if a network partition happens and no NMS access is available.

What you DON'T want to do is have more than 4 syslog event receivers. I worked with a customer that had 9... 4 were going to servers in the same subnet. If you have a lot of need for syslog processing (multiple NMSs, IDSs, etc) look at syslog repeaters like Syslog-NG.