I really recommend setting up fluentd, and then routing logging from there - it makes it very easy to keep auditor-appeasing logs, while also having important stuff sending pages. Log aggregation, organization, and search is a hard problem, other people have already done it and provided it as a service, and chances are its NOT a core competency or secret sauce at your organization.
Once you get your logs in one routing system, you can do a lot with them, but stop rolling your own. This is a prime area for most companies to buy something that works better, for less than the cost of developing in house. And if you run your own aggregation layer - then you can easily try out a bunch of different systems and add/remove them easily. :) Also, you may want to see one level of logs, but your auditors might wanna see another, and your engineers/sec team might wanna do some analytics on them. Being able to provide a solution for everyone who needs network logs at whatever detail level they ask for will make you popular at your organization. On Sun, Feb 4, 2018 at 12:21 AM, Tarko Tikan <ta...@lanparty.ee> wrote: > hey, > > This is done with the 'logging facility' >> command on the devices: >> >> After defining your syslog server's IP >> address and the level of messaging you want >> (I set it to debug because I want to see >> everything): >> >> on the routers: logging facility local0 >> on the switches: logging facility local1 >> > > Alternative, and more universal, way to do it is to use multiple IPs for > syslog server. Then configure correct syslog server IP on the device. > > syslog-ng and others can all do filtering to different destinations based > on the IP where message was received. > > -- > tarko >
