Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

How many SysLog servers needed

Bronze Contributor

Is there any sort of documentation that states a Syslog server of X size can handle Y amount of traffic?  I thought I saw something somewhere but I cannot seem to locate the document again.

4 Replies

@Gary Bushey 

That's a good question and I'm guessing that it is not just about a syslog server in general but also about their ability to upload the logging data to Sentinel. I think that will be a bottleneck when large volumes of logs are involved as a Linux syslog server can be tweaked to support a high volume of events per second. I think that Log Analytics API only supports chunks of 30 MB upload per post so depending on the available bandwidth one can do some math on how many collectors would be needed for a specific volume of raw logs. 

 

We typically start with a 2 x CPU, 8 GB RAM, minimal CentOS 7.7 VM and it seems to be falling asleep for 15 - 20 GB/day (using standard UDP-based syslog traffic). When dealing with more stringent requirements, such as high availability one can start introducing load balancers, maybe engage in real devops by spinning syslog containers through Kubernetes, maybe use Kafka to manage the log stream.

 

I guess that empirically, one can setup a log generator and flood a "standard" syslog server to see where it starts to fall apart. I will probably add this to my to-do list.

 

Adrian Grigorof

www.managedsentinel.com

This might be the document you're looking at previously?
It suggests a 4CPU, 8GB RAM for 8,500 events per second on rsyslog (caps)
https://techcommunity.microsoft.com/t5/azure-sentinel/how-many-syslog-servers-needed/m-p/1365631

@crystan The URL you posted only re-opens this conversation :)

So terribly sorry, copy-paste fail right there. This should be the link:
https://docs.microsoft.com/en-us/azure/sentinel/connect-cef-agent?tabs=rsyslog