Load Balancing

[floki]

Good Day,

Scenario:

We have 2 stand alone IDS [snort] and supervisor wants to connect the IDS to a Cluster of Nagios Log Server and the middle device between them is a F5 load balancer. Is it a good Idea? or We can just throw the snort alerts to Nagios Log Server directly? Also, is it a good idea to have a private network between the Nagios Log Servers?

Thanks

[cdienger]

You would like to know if it is better to send the IDS logs to a load balancer that then forwards to one of the NLS machines OR if it is best to just send the logs directly to a NLS server and bypass the F5? Either should work honestly but splitting the load with a load balancer can help with performance - especially if there are a lot of logs.

I wouldn't recommend setting up a private network for the machines unless the environment requires it.

[floki]

ohhhh I see, thanks for that. I'll just let them decide if they want to have load balancing. Using the production network, the production traffic won't be affected right? So there's no need to use a private network between them?


Thanks a lot!

[cdienger]

Correct, the production network shouldn't be affected.

[floki]

Alright! thanks a lot. Additional question:
1. how do you remove the log your monitoring with nagios log server without removing the monitored server from nagios log server?
2. I tested the file monitoring with nagios log server and I want to remove the file monitoring so is there a way to remove? and how can I verify? Thanks!

[cdienger]

The log file monitoring setup script will create a rsyslog config file for the log file under /etc/rsyslog.d/ on the client side Removing this file and restarting the syslog service should do the trick.

Since the initial question has been answered, I will go ahead and lock this thread. Please open a new thread for any new topics.