As an Amazon Associate I earn from qualifying purchases from

Performing Syslog Occasion Evaluation and Forwarding on the Edge. Inside a Container!

For a lot of with an IT Operations background we all know Syslog occasion messaging as a extremely helpful logging operate. It’s ubiquitous in Cisco {hardware} merchandise and controllers, and most administration software program; it’s additionally prevalent in different IT. Syslog is used to tell about operational state, element failure, safety incidences, and different informational objects.

Our Cisco DNA Middle and Cisco Safe Community Analytics (previously Stealthwatch), together with frequent options like Splunk and Elasticsearch, obtain syslog occasion information for evaluation, reporting, alerting, and archiving.

Networks proceed to develop to handle the elevated calls for of cellular customers and IoT. Since information producers and customers will be distributed throughout places, centralized logging will be inefficient with bandwidth utilization. Logging can be used for various functions – administration/ops, safety, accounting, and regulatory compliance. Completely different administration instruments might course of particular log varieties and should actively filter to disregard others, so forwarding all messages, a number of instances to completely different customers is an inefficient use of bandwidth, processing, and storage.


We have now a chance to handle this by way of spare capability with Edge computing within the AppHosting capabilities of the Catalyst 9000 Collection Switches. You’ve most likely heard of or used AppHosting (Docker containers) embedded in switches for ThousandEyes collectors or iPerf brokers. Nevertheless, think about the advantages of performing syslog occasion evaluation and forwarding on the edge, inside a container. We are able to leverage extra complicated filtering and forwarding that optimizes our bandwidth utilization and supplies an choice to keep up native switch-container copies of the occasion messages in case of connection loss or software failure.

To realize this profit, we are going to deploy Syslog-NG, a well-liked open-source resolution that additionally has a business provide. We configure the change internet hosting the Syslog-NG container-app to ahead its syslog occasion messages again into the container. Different community gadgets, servers, purposes and IoT endpoints supporting syslog can ship their messages on the container’s hostname/IP handle for processing.

A Syslog-NG configuration file defines the sources, filters, locations, and logging combos.

This GitHub repo has been created to elucidate the technical particulars, present a Dockerfile and syslog-ng.conf configuration file. In it we recommend filtering towards ACL violation message patterns. Be at liberty to develop them to fit your wants! We additionally counsel locations of your Cisco Safe Community Analytics or DNA Middle situations. You may simply outline your individual Splunk, Elasticsearch or different syslog receivers.


We additionally present a template for container-local log archiving utilizing a date-grouping mannequin. As soon as the AppHosted Syslog-NG is operating and the change and different non-compulsory nodes are forwarding their syslog occasion messages into it, then the message forwarding movement might appear to be this.


For extra superior and bandwidth-frugal environments, it’s potential to deploy extra situations of Syslog-NG on distant web site switches with their very own AppHosted situations of Syslog-NG.


One of many first questions could also be “Can it carry out?” My very own lab testing pumped 40,000 Syslog messages into the container in a single minute with negligible enhance of CPU on the container or the internet hosting change. Moreover, we must always acknowledge that the AppHosting surroundings is purposely engineered to not impression the change’s essential operate – shifting packets! In case you have greater than 40,000 syslog messages a minute, you’ll have different issues to fret about than CPU utilization.  😊

We hope you discover this use-case useful, and it supplies you some ideas of different methods to make use of the AppHosting function of the Catalyst 9000 sequence switches.

Associated sources


We’d love to listen to what you assume. Ask a query or depart a remark under.
And keep related with Cisco DevNet on social!

LinkedIn | Twitter @CiscoDevNet | Fb | Developer Video Channel



We will be happy to hear your thoughts

Leave a reply

Enable registration in settings - general
Compare items
  • Total (0)
Shopping cart