Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
RKinsp
Contributor

Standby Management as Log Server - any downside?

Hey everyone,

Just wanted to get an opinion on this. We have a log intensive environment with no dedicated log server. We use log_exporter with 6 instances, which seems to be consuming alot of CPU.

Adding a dedicated log server would be best, but the project is already over budget.

There is a standby SMS licensed and the plan is to move logging and the log_exporters to this server, at least to speed up management itself.

Anybody think of a downside of doing this?

Thanks!

RK

0 Kudos
3 Replies
the_rock
Mentor
Mentor

You can do that, but Im worried you are going to have same issue if specs of that server are not good enough to take the load of all the logs in such an intensive environment. 

RKinsp
Contributor

Thanks for the quick response!

That is a concern, true. Appliances are Smart-1 5150 which should index 40k logs per second.

We are not using SmartEvent because of the heavy log load and because the main purpose is just to forward the logs. Also it is a single domain.

Our big problem with the CPU though is that we think it is affecting publishing/installing speeds. Since using the Standby for logs is not an issue, we might actually split the gateway logs between the two firewalls...

0 Kudos
Vladimir
Champion
Champion

While it is difficult to speculate without knowing more about your environment, I suspect that the CPU consumption is primarily driven by the forwarders, not the indexing.

You should be able to split the logs (for instance, from local clusters) to the nearest SMS, be it a standby or active, with other, designated for contingency logging. This said, if one of them will go down, the load on the remaining server will double and cause some unpleasantness.

If you indeed are forwarding to a six different SIEMs/log dumps, perhaps the solution is to have open source ETL do the split and forward from a single exported instance.