Messages Per Day

[cdukes]

I'd like to get an idea of the amount of messages that are being collected out there.
Please be accurate to the extent possible by not bragging or exaggerating
I'm also interested in knowing how many messages are generated by device/os type.
This would help me a lot if you have these numbers!

(please reply to this thread with your information)
For example:

Device Type	Device Count	Average Messages Per Day
Switches	3,000	120,000
Routers	2,300	1m
Postfix (X emails per day)	1	1.5m
Cisco ASA Firewalls	10	762k
Cisco VPN Concentrator	2	520

Note: I just made the numbers above up - they aren't real (which is why I need your help!)
Thanks!

[setuid0]

We are capturing ~7.5 Million events per day. I don't have the breakout exactly but I will give you the types here:
The ASA's give a majority of the info at this time as we run them on debug.

Cisco ASA Firewalls            4
Cisco routers                    5
Sonicwall Firewalls          160
Windows DC's                  10 at this count will be 170 in the next week
Juniper VPN                      2
Symantec Endpoint            2
Symantec 10 AV servers     2
Proofpoint Mail GW             4
Linux Servers                   15

More to come over the next 3 months to include:

Cisco routers                   165
Snort IDS                         10
WSFTP                              2
VMWare vSphere               30 - sorry AM foggy head typo. Not Fusion but vSphere
Windows Servers (member) 200
Exchange 2007                    6

[cdukes]

We are capturing ~7.5 Million events per day. I don't have the breakout exactly but I will give you the types here:
The ASA's give a majority of the info at this time as we run them on debug.

If you can get the messages per day for each, this would really help!
(but wait until Beta 17, it has ad-hoc charts so you can easily grab this number per host).

[ulistaerk]

Our 6 Mailserver generated 21438143 rows yesterday, so ~ 4M/day/host depending on SPAM.

Our cisco devices generate no load - like 1/day/host.

Other >100 linux-servers will also be only background noise where we expect to get less than 100-1000/day/host and they will report to different syslog-VMs.

[EspenT]

I use logzilla to collect messages from Digital TV headend equipment. Have a lot more stuff than this to monitor but so far this is what I got

HeadEnd units        messages per day
85                              80.000-110.000

Edit: 2010.04.09

176                             400.000-646.000

[stevepr]

I will post my data on when you get Beta 17 out. 

I average 10 - 14 Million messages per day.  400 - 450 Network devices.

90% Cisco Gear ( routers, switches, firewalls)
Juniper Routers
Foundry switches

[axi0n]

Hit about 895k total messages yesterday in my smallish setup...

Breakdown roughly seems to be...

~ 98% vSphere 4i (7 cluster nodes) (damn is vSphere chatty)..
~ 1% Cisco (noisier than normal as we have travelling users in this week which generate messages everytime a port goes up/down)
~ 1% Syslog messages generated from my 10 Linux testing servers

On that note... Has anyone found a way to decrese the verbosity of syslog on vSphere 4??  I know I can just filter at the Logzilla side, but I don't need a zillion status "green" for heartbeat events coming through in such a short interval.. I just need an instant one if things go bad in this environment...

[cdukes]

On that note... Has anyone found a way to decrese the verbosity of syslog on vSphere 4??  I know I can just filter at the Logzilla side, but I don't need a zillion status "green" for heartbeat events coming through in such a short interval.. I just need an instant one if things go bad in this environment...

You can either filter it out in syslog-ng or, once the release candidate comes out, I've added event suppression.

[morningwood]

Device Type         Device Count       Average Messages Per Day
Blue Coat Proxies   35 - 40              200M - 800M ( depends on the day of the week and various other factors )
SOCKS Server       2                       1 - 2K

We not pushing that much data into LogZilla at this time. We however are planning on moving to a LogZilla type solution in order to normalize and index the real time proxy log data.

We hope to have something up and running by May - June.

[raymond007]

i have 2 logzilla servers in 2 sites.

1.

227 Cisco Routers, Switches + Local Syslog - average of 17k messages/day as per logzilla graph.
 du -h /var/lib/mysql/syslog/
180M    /var/lib/mysql/syslog/


2.

2 cicso ASA fw + Local syslog - average of 3M messages/day as per logzilla graph.
 du -h /var/lib/mysql/syslog/
13G     /var/lib/mysql/syslog/

[VIA]

Bluecat DHCP Log ~ 1,000,000 MSG per Day

[running12]

Hello, i just installed logzilla with eval. lic.   and when i try to log in it shows:

 The 10M message limit for your license has been exceeded.  ( i only receive these logs from 1 FW)

i knew that i will need to filter some messages, but i need to look at it first to see which one should be filtered.  is there a solution for that ?

Thanks,
Sam

[cdukes]

Hello, i just installed logzilla with eval. lic.   and when i try to log in it shows:

 The 10M message limit for your license has been exceeded.  ( i only receive these logs from 1 FW)

i knew that i will need to filter some messages, but i need to look at it first to see which one should be filtered.  is there a solution for that ?

Thanks,
Sam

Hi Sam,
Please contact Pete Willis (pwillis@logzilla.pro) - he can generate a larger eval license for you.