Syslog huge...
  • Steve_W February 6

    In our DB usage 'syslog history' says it's 32gb, how I can I identify which server is taking all the space and purge it to clean it up then identify why it's so large.

  • Steven February 6

    HI Steve,

    When doing a syslog search in the EventSentry web reports, you can select the option "Group By:" and select 'Sender'. This will group all the incoming messages from the senders over the time period selected and let you know how many each device has sent.

    Steven

  • Steve_W February 7

    Hi, thanks for the info.
    We don't seem to have a 'sender', option only source, syslog host, facility, severity, message. I assume 'source' is the one to go for?

    At present most options I pick take ages to query sometimes timing out. It took me a while to get the database just back online and working this morning.

  • Steve_W February 8

    Now I've managed to shrink the database down the reporting works in the website altough very slow, is it possible to block or drop certain servers from reporting into Event sentry so they don't fill the database up.

  • Steve February 8

    Hi Steve,

    Yes, if the systems that you do not want to report are windows based running the EventSentry agent, simply remove the agent from those systems.

    If you have specific non-windows systems that you do not want to report to the database, you can select which systems are capable of reporting and which aren't by selecting the 'Authorized IP Addresses' option in the Syslog daemon. This will allow you to configure only syslogs from specific IP address that can be consolidated into the database.

  • Ingmar February 8

    Hi Steve,

    What type of database server (mssql, mysql, ...) are you using, and what type of hardware are you running the database server on (in particular, what is the disk subsystem)?

    32Gb is not that large, and queries should return quickly. The disk subsystem of your database server may not be adequate in this case.

    Are other reports slow as well?

    Ingmar.

  • Steve_W February 8

    It took 747 seconds to create the groupby syslog report. It runs on a rather strangulated VM but I'm more interested in excluding servers from reporting into Event Sentry in the first place.

  • Ingmar February 8

    OK, that makes sense then.

    Steve's instructions should help reduce the amount of data then. Of course you can also utilize the text filter to exclude Syslog events based on their message text.

  • Steve_W February 9

    Thanks both, I think we're getting there :)

Add a Comment

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Sign In

Categories