Overview
Preparation of a base infrastructure for high availability ingestion of syslog data with a default virtual server and configuration for test data on boarding. Reference technology specific on boarding procedures.
Requirement
Multiple critical log sources require a reliable syslog infrastructure. The following attributes must be present for the solution
- Enterprise supported linux such as RHEL, OR Centos
- Syslog configuration which will not impact the logging of the host on which syslog is configured
- External Load Balancing utilizing DNAT lacking available enterprise shared services NLB devices KEMP offers a free to use version of their product up to 20 Mbs suitable for many cases
Technical Environment
The following systems will be created utilizing physical or virtual systems. System specifications will vary due estimated load.
- Centos 7.x (current) servers in n+1 configuration
- Minimum 2 GB memory
- Minimum 2 x 2.3 GHZ core
- Mounts configure per enterprise standard with the following additions
- /opt/splunk 40 GB XFS
- /var/splunk-syslog 40 GB XFS
- Dual interfaced load balancer configured for DNAT support.
- Subnet with at minimum the number of unique syslog sources (technologies) additional space for growth is strongly advised
- Subnet allocated for syslog servers
Solution Prepare the syslog-ng servers
The following procedure will be utilized to prepare the syslog-ng servers
|
Solution Prepare KEMP Loadbalancer
|
Update syslog server routing configuration
Update the default gateway of the syslog servers to utilize the NLB internal interface |
Validation procedure
from a linux host utilize the following commands to validate the NLB and log servers are working together logger -P 514 -T -n <vip_ip> "test TCP" logger -P 514 -d -n <vip_ip> "test UDP" verify the messages are logged in /var/splunk-syslog/default |
Prepare Splunk Infrastructure for syslog
|