01-07-2014 07:26 AM
Hi,
My requirement is to allocate bandwidth usage for a network segment which has a SIEM tool collecting logs for multiple cisco devices. I could find that there is an average of 50000 logs per hour flowing from network devices to SIEM.
How can i make a rough idea on how much network data would be used by these logs..?
Please advise
Thanks
Regards,
Sreejith
Solved! Go to Solution.
01-07-2014 10:52 AM
Sorry, but not sure what do you mean by size of log?
Do you mean one perticular syslog sent by a Cisco device (like switch, router, security etc devices).
The full format of a Syslog message seen on the wire has three distinct parts:
• PRI (priority)
• HEADER
• MSG (message text)
The total length of the packet cannot exceed 1024 bytes. There is no minimum length.
Devices are expected to comply with the following rules while sending Syslogs:
• Device should include PRI as recommended by RFC 3164
• Device could optionally send Timestamp information in RFC recommended format in the header. The RFC recommendation does not include the TIMEZONE information. Hence, it is assumed that the device sends the local time and that the device and Server are in the same time zone.
• Device could optionally send Hostname information in the header.
• To support devices that are in different time zones than the server, IOS allows configuring the devices to send the Time Information along with TZ, optionally, in the message part of the Syslog packet.
Such timestamps should be prefixed with some separator character (like * or :), so the Syslog daemons (such as unix syslogd) do not treat them as header information. This could cause unix syslogd to misinterpret the time information, because they ignore the TZ part of the Timestamp.
Considering the above, devices should send Syslogs in one of the following formats:
Format A
<187> [timestamp in RFC prescribed format] [device dns name | ip address] [Dummy Value/Counter : ] [ {:|*} mmm dd hh:mm:ss TimeZone ] %FACILITY-[SUBFACILITY-]SEVERITY-MNEMONIC: description
Format B
<187> [timestamp in RFC prescribed format] [device dns name | ip address] [Dummy Value/Counter : ] [ {:|*} yyyy mmm dd hh:mm:ss TimeZone <-|+> hh:mm] %FACILITY-[SUBFACILITY-]SEVERITY-MNEMONIC: description
Examples of good syslog messages: [ as sent by the device ]
<187>%PIX-4-106023 description
<187>Mar 23 10:21:03 %PIX-4-106023 description
<187>*Mar 23 12:12:12 PDT %PIX-4-106023 description
<187>Mar 23 10:21:03 *Mar 23 12:12:12 PDT %PIX-4-106023 description
<187>Mar 23 10:21:03 *2003 Mar 23 12:12:12 PDT -8:00 %PIX-4-106023 description
<187>Mar 23 10:21:03 93: *2003 Mar 23 12:12:12 PDT -8:00 %PIX-4-106023 description
It is difficult to tell the size, but as it can't exceed 1024 you can consider the 50000 msgs x 1024 bytes = 51200000 bytes. This comes out to be roughly 48.85 MB approx.
Hope this clarifies.
-Thanks
Vinod
**Rating Encourages contributors, and its really free. **
01-07-2014 10:52 AM
Sorry, but not sure what do you mean by size of log?
Do you mean one perticular syslog sent by a Cisco device (like switch, router, security etc devices).
The full format of a Syslog message seen on the wire has three distinct parts:
• PRI (priority)
• HEADER
• MSG (message text)
The total length of the packet cannot exceed 1024 bytes. There is no minimum length.
Devices are expected to comply with the following rules while sending Syslogs:
• Device should include PRI as recommended by RFC 3164
• Device could optionally send Timestamp information in RFC recommended format in the header. The RFC recommendation does not include the TIMEZONE information. Hence, it is assumed that the device sends the local time and that the device and Server are in the same time zone.
• Device could optionally send Hostname information in the header.
• To support devices that are in different time zones than the server, IOS allows configuring the devices to send the Time Information along with TZ, optionally, in the message part of the Syslog packet.
Such timestamps should be prefixed with some separator character (like * or :), so the Syslog daemons (such as unix syslogd) do not treat them as header information. This could cause unix syslogd to misinterpret the time information, because they ignore the TZ part of the Timestamp.
Considering the above, devices should send Syslogs in one of the following formats:
Format A
<187> [timestamp in RFC prescribed format] [device dns name | ip address] [Dummy Value/Counter : ] [ {:|*} mmm dd hh:mm:ss TimeZone ] %FACILITY-[SUBFACILITY-]SEVERITY-MNEMONIC: description
Format B
<187> [timestamp in RFC prescribed format] [device dns name | ip address] [Dummy Value/Counter : ] [ {:|*} yyyy mmm dd hh:mm:ss TimeZone <-|+> hh:mm] %FACILITY-[SUBFACILITY-]SEVERITY-MNEMONIC: description
Examples of good syslog messages: [ as sent by the device ]
<187>%PIX-4-106023 description
<187>Mar 23 10:21:03 %PIX-4-106023 description
<187>*Mar 23 12:12:12 PDT %PIX-4-106023 description
<187>Mar 23 10:21:03 *Mar 23 12:12:12 PDT %PIX-4-106023 description
<187>Mar 23 10:21:03 *2003 Mar 23 12:12:12 PDT -8:00 %PIX-4-106023 description
<187>Mar 23 10:21:03 93: *2003 Mar 23 12:12:12 PDT -8:00 %PIX-4-106023 description
It is difficult to tell the size, but as it can't exceed 1024 you can consider the 50000 msgs x 1024 bytes = 51200000 bytes. This comes out to be roughly 48.85 MB approx.
Hope this clarifies.
-Thanks
Vinod
**Rating Encourages contributors, and its really free. **
01-07-2014 08:05 PM
Hi Vinod,
Many thanks for the explanation. Now i got more clarity....
Thanks
Sreejith
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide