11-20-2010 08:12 AM
i plan to use a syslog server for storing device logs since nsm storage is quite small for storing traffic logs. my question is can the nsm still access old logs from the syslog server for analysis and reporting?
11-22-2010 08:23 AM
Thanks for the reply.
we have an NSMexpress and 4 SRX5600. how much logs can be retained assuming that the srx logs all session(session close), screen and IDP? we wish to retain at least 15 days of logs. if the NSM cannot parse syslog data, what other options do we have?
11-22-2010 08:31 AM
I don't know how many logs your 5600 will be generating (depends on events per second)
Unfortunally NSM is desinged to be a management station, it can handle some logging but not a lot. I don't have the exact figures anymore, but with one SRX you can make an NSM unresponsive.
Also SRX won't send all his log entries towards the NSM since NSM is connected on the control plane and that can't handle the amount of logging a 5600 can generate.
Syslog is done by forwarding plane to speed up the loggin process.
You have several options
1) Tweak the things you want to log and have a good backup strategy for your log files, you can restore files without restarting the services
2) STRM is a better solution, since you can scale the strm to parse the amount of logging you will need. STRM is also purpose build.