Some questions of Log Server

[bennspectrum]

Hi, I have three questions.
[1] the hardware specifications of Nagios Log Server.
We need use the Nagios Log Server to collect about 50GB/day data.
Does Log Server have any hardware specifications recommendation?
How many instances of Nagios Log Server you recommend?

[2] The version upgrade of elasticsearch and Kibana.
The current version of elasticsearch in the Log Server was 1.6.
Do you have any plans to upgrade the version.
On the other hand, will the Kibana 4 will replace the Kibana 3 in the Log Server in the future?

[3] the Collect Agent of AIX and HP-UX.
If I want to collect the Log data of AIX and HP-UX.
Do you have any recommended Collect Agent?
And how to implement and configure in the AIX and HP-UX?

Thank very much.

[rkennedy]

1. This really depends on the amount of logs, that you're looking to keep open at a time. Since the logs will 'cache' to ram, you need to have enough of it to handle what's currently open. If you are not worried about actively searching through items after 7 days, then you could close indexes after 7 days. This will cause them to be stored on disk, and not cached to memory. Keep in mind, you can always reopen an index. I believe 3-4 members with 63GB (the max you'll want to do per instance for performance reasons) should be able to handle that load, but again, it depends on how long you need to keep the indexes open as I explained above.

2. Yes, NLS will be updated in the future. I do not have timeline available.

3. Do your AIX systems have rsyslog or any syslog forwarding agents currently installed on it? If so, you'll just want to forward it all over TCP/UDP to your input on NLS.

[bennspectrum]

rkennedy, thanks!

About the question 3, Are there have any references or documents about AIX system rsyslog setting and the HP-UX system log collecting method？

[rkennedy]

It just follows the standard rsyslog configuration, where 1.2.3.4:5544 is the NLS machine. For example -

Code: Select all

    $ModLoad imfile
    $InputFilePollInterval 10
    $PrivDropToGroup adm
    $WorkDirectory /path/to/rsyslog/spool
     
    # Input for FILE_PATH
    $InputFileName FILE_PATH
    $InputFileTag FILE_TAG:
    $InputFileStateFile nls-state-FILE_ID # Must be unique for each file being polled
    # Uncomment the folowing line to override the default severity for messages
    # from this file.
    #$InputFileSeverity info
    $InputFilePersistStateInterval 20000
    $InputRunFileMonitor
     
    # Forward to Nagios Logserver and then discard.
    if $programname == 'FILE_TAG' then @@1.2.3.4:5544
    if $programname == 'FILE_TAG' then ~

[bennspectrum]

@rkennedy, thank you,

I did it!

[mcapra]

Awesome! Is it alright if we lock this thread and mark the issue as resolved?

[bennspectrum]

@mcapra

Ok, thank you.