one point of frustration--which I haven't seen feature development for is alerting when messages get out of control. For instance, we email all EMERG, CRIT & ALERTs to our team. Unfortunately, every vendor has a different definition of what that means. So every packet denied by a firewall may be an ALERT. On Cisco, bad power, fan or temperature problems don't generate one message, but hundreds to thousands for a single event.
I've been doing syslog alerting for a decade, so I know these events need to be filtered out, then email the remaining. This provides a brilliant alerting system for an enterprise and has kept our network teams on top of issues for years. It has outperformed Tivoli and Openview installations, and it costs a fraction of a percent of what those systems cost. Nothing like have a switch email you that he's having a hardware issue on blade 5 or somone plugged an illegal device into port 4/5 on the 5th floor switch.
The Problem comes with the spams of alerts that I filter out first. I log these into separate files sometimes, depends upon what they are. But often, we still need to know they exist. I haven't concocted a really good mechanism for this.
My current solution is to log them to a file, and every hour or whenever, I have an archive process the presence of the file to it's permanent folder, then email and Archive notification which names the ARCHIVE schedule and the folders. One of us then have to log into sysylog and examine the file to read what happened.
I'd prefer if we simply were able to email the file as an attachment. I realize there are limits to filesize, but that's okay. I'd even accept an email that said, "the file could not be attached because"' %filename% " exceeded XXX bytes."
Also the title of the ARCHIVE is generic--which means we have to open each email. I'd like to see a custom email title on ARCHIVE & CLEANUP notifies the same as I have with Emails on syslog messages.
I'd also love to see Email alerts (with custom email subjects!) on log rotations. There are logs that capture the background noise of the environment--somethings always exist but only in volume must you deal with them. It would be great to have an email when a log file exceeds a certain size. But an email when a log file rotates would work well too (as it would repeat the alert as it grows).
If anyone thinks of another trick to get basic email only when a certain volume, occurs I'd love to see if it wold work for my customers.
I've got one installation that does an absolutely sick amount of logging with Kiwi. We receive about 60-80 million messages a day from a single firewall. It's about 28MB of messages to disk per minute during the peak of the day. The rest of the environment does another 12-25 million messages on a second server. Kiwi handles it beuatifully. The first key is a high end processor (turn off hyperthreading) and an aggressive RAID array. The 2nd trick--make you log directories compressed folders in Windows. The disk hit is lessened and with a multi-process CPU the compression is not noticeably. Meanwhile the sysylog files compress 4-to-1 on average.