Syslog Server Suggestion

  • I am monitoring our client networks with Zabbix which is working fairly well. I am still learning it, but running it on a VM at our colo it is stable and easy to use. It doesn't do Syslog Server though, so I tried Splunk and Zenoss but both are just so heavy and demanding. Zenoss wants so much resources I can't reliably run it in a VM and I am hesitant to install a server though I have on available. I may go that route if that is the best solution. Are there any other suggestions for a light friendly solution? I perhaps will have at most 40 syslogs going to this, I can't imagine much more than that any time soon.


  • You might try logstash.  I haven't used it personally, but I'm told folks like it and that it isn't as heavy as a full Splunk installation.

    Splunk supports acting as a syslog server itself, and accepting syslog style traffic on port 514 (or whatever port you want).  I'm using Splunk Storm[1] as a destination for my pfSense logs.  Unfortunately, at the moment I'm having to do it in a very round-about way.  It seems as if the Splunk Storm instance isn't actually listening for UDP traffic, but TCP traffic works fine.  I ended up installing a Splunk forwarder on a different host in my network, making that listen for log traffic from pfSense (UDP), and sending it from there onto Splunk Storm (over TCP).

    The basic version of Splunk Storm is free, but there are quite a few limits (how many accounts you can have log into the same instance, how long the data is kept, etc).  One of the really nice things is you don't have to administer the Splunk server yourself.


Log in to reply