Solved: What is the size of a single log created by Cisco IOS..?

Sreejith Vanjipattu · ‎01-07-2014

Hi,

My requirement is to allocate bandwidth usage for a network segment which has a SIEM tool collecting logs for multiple cisco devices. I could find that there is an average of 50000 logs per hour flowing from network devices to SIEM.

How can i make a rough idea on how much network data would be used by these logs..?

Please advise

Thanks

Regards,

Sreejith

Vinod Arya · ‎01-07-2014

Sorry, but not sure what do you mean by size of log?

Do you mean one perticular syslog sent by a Cisco device (like switch, router, security etc devices).

The full format of a Syslog message seen on the wire has three distinct parts:

• PRI (priority)

• HEADER

• MSG (message text)

The total length of the packet cannot exceed 1024 bytes. There is no minimum length.

Devices are expected to comply with the following rules while sending Syslogs:

• Device should include PRI as recommended by RFC 3164

• Device could optionally send Timestamp information in RFC recommended format in the header. The RFC recommendation does not include the TIMEZONE information. Hence, it is assumed that the device sends the local time and that the device and Server are in the same time zone.

• Device could optionally send Hostname information in the header.

• To support devices that are in different time zones than the server, IOS allows configuring the devices to send the Time Information along with TZ, optionally, in the message part of the Syslog packet.

Such timestamps should be prefixed with some separator character (like * or :), so the Syslog daemons (such as unix syslogd) do not treat them as header information. This could cause unix syslogd to misinterpret the time information, because they ignore the TZ part of the Timestamp.

Considering the above, devices should send Syslogs in one of the following formats:

Format A

<187> [timestamp in RFC prescribed format] [device dns name | ip address] [Dummy Value/Counter : ] [ {:|*} mmm dd hh:mm:ss TimeZone ] %FACILITY-[SUBFACILITY-]SEVERITY-MNEMONIC: description

Format B

<187> [timestamp in RFC prescribed format] [device dns name | ip address] [Dummy Value/Counter : ] [ {:|*} yyyy mmm dd hh:mm:ss TimeZone <-|+> hh:mm] %FACILITY-[SUBFACILITY-]SEVERITY-MNEMONIC: description

Examples of good syslog messages: [ as sent by the device ]

<187>%PIX-4-106023 description

<187>Mar 23 10:21:03 %PIX-4-106023 description

<187>*Mar 23 12:12:12 PDT %PIX-4-106023 description

<187>Mar 23 10:21:03 *Mar 23 12:12:12 PDT %PIX-4-106023 description

<187>Mar 23 10:21:03 *2003 Mar 23 12:12:12 PDT -8:00 %PIX-4-106023 description

<187>Mar 23 10:21:03 93: *2003 Mar 23 12:12:12 PDT -8:00 %PIX-4-106023 description

It is difficult to tell the size, but as it can't exceed 1024 you can consider the 50000 msgs x 1024 bytes = 51200000 bytes. This comes out to be roughly 48.85 MB approx.

Hope this clarifies.

-Thanks

Vinod

**Rating Encourages contributors, and its really free. **

-Thanks Vinod **Rating Encourages contributors, and its really free. **

View solution in original post

Vinod Arya · ‎01-07-2014