NetXMS Support Forum

Hello

How well does NetXms handle large amount of syslog messages (~5GB per month, retention ~90 days)? Database in use is MS Sql server. Currently i am collecting them with splunk but curiose if netxms could handle it.

Is it possible to save pre defined searches for later use ?

How would one search for some key words from syslog (using text field). Example log:

23.11.2019 22:41:23 Juniper Default 1 6 Juniper 1 1 2019-11-23T22:41:23.389+02:00 SRX1 RT_FLOW - RT_FLOW_SESSION_DENY [[email protected] source-address="192.168.1.2" source-port="50295" destination-address="8.8.8.8" destination-port="53" connection-tag="0" service-name="junos-dns-udp" protocol-id="17" icmp-type="0" policy-name="default-deny(global)" source-zone-name="Vlan-2" destination-zone-name="Internet" application="UNKNOWN" nested-application="UNKNOWN" username="N/A" roles="N/A" packet-incoming-interface="ge-2/0/1.2" encrypted="UNKNOWN" reason="policy deny"]

If you are using Splunk (or similar, ElasticSearch) for collecting and searching logs at present and you're happy with it, moving to NetXMS just for syslog would be a step backwards. It's not purpose built for that. Searches in Splunk or ElasticSearch will be faster.

1) 5GB per month means an average of 2kB/s. Just collecting the data shouldn't be an issue even with a desktop computer. Having said that, it will depend on what you do with it. Just collect it? Run syslog parsers over the top to generate events and alerts? Are you doing anything else inside NetXMS? How complex are your searches? Keeping in mind that there's no index on the actual message field so if you are searching based on text alone, well.... not ideal. If you're after searching through piles and piles of logs, a purpose built solution may be better. With that said, our Syslog DB inside NetXMS is 55GB and only holds 60 days worth of data. Works without issues for what we're doing with it.

2) No, unfortunately not. 

3) I'm assuming you're thinking of searches like "source-address:192.168.1.2 AND destination-address:8.8.8.8". NetXMS doesn't work like that. You are literally searching through the text string using SQL wildcards, e.g. "%source-address="192.168.1.2"%destination-address="8.8.8.8"%". But as that is a match against the message string itself, the order actually matters. You can add multiple conditions which can be either AND or OR. You can't mix and match those.

So again, if you are looking for a solution for the sole purpose of searching through syslog data, it might make sense to stick with Splunk or switching to Elastic.