Re: multiple syslog receivers with different messages

ampowell · ‎10-27-2008

Is it possible to configure syslog on a firewall with different messages going to different syslog receivers?

I would like to set up multiple firewall syslog receivers, each receiving a different level or class of messages. One syslog receiver is a workstation running network monitoring and alerting software. I want to send it only critical messages. A second syslog receiver is used to archive problems. I send it only warning messages and higher. I am considering MARS as a third syslog receiver. MARS wants all syslog messages at level debug and higher.

It would be helpful if the "logging host" command could differentiate message levels or message lists. The only alternative I can see is to send syslog messages at the lowest required level and then to filter out the messages at the receiver. Filtering out all the extra messages from a busy firewall will be strain on my existing syslog receivers.

Jon Marshall · ‎10-27-2008

Ann

Being honest i think you may be looking at this the wrong way round. Firewalls should be left to get on with what they do best and that is to allow or deny packets into/out of your network. What you don't want is to add any additional processing unless absolutely necessary.

In addition you would end up sending multiple copies of the same packets across your network which as you say from a busy firewall could generate a lot of traffic.

I would look to invest in a dedicated syslog server that received all traffic and then filtered into the relevant places. A long time ago i setup a similiar thing with syslog-ng where all messages were sent to a single server and then depending on the message severity a different action was taken.

Jon